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Preface 



Here are some major contributions to the literature on modern cryptography: the papers 
presented at CRYPTO 84. It is our pleasure to share them with everyone interested in this 
exciting and growing field. 

Each section of this volume corresponds to a session at the meeting. The papers were 
accepted by the program committee often only on the basis of abstracts, and appear here without 
having been otherwise refereed. The last section contains papers for some of the impromptu 
talks given at the traditional rump session. An author index as well as a keyword index, whose 
entries were mainly supplied by the authors, appear at the end of the volume. 

The first two open meetings devoted to modern cryptography were organized 
independently: one by Allen Gersho during late Summer 1981 in Santa Barbara. 1 and the other 
by Thomas Beth and Rudiger Dierstein in Germany the following Spring. David Chaum 
organized a successor to the Santa Barbara meeting the next year, which launched the 
International Association for Cryptologic Research. The sponsorship of the association has 
continued the unbroken series of annual Summer CRYPTO meetings in the U.S. 4 and annual 
Spring EUROCRYPT meetings in Europe. 5 ' 6 

It is our pleasure to thank all those who contributed to making these proceedings possible: 
the authors, program committee, other organizers of the meeting, IACR officers and directors, 
and all the attendees. 

College Station, Texas G.R.B. 
Amsterdam, the Netherlands D.C. 
March 1985 
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A PROTOTYPE ENCRYPTION SYSTEM USING PUBLIC KEY 



Authors: S C Serpell, C B Brookson and B L Clark. 

British Telecom Research Laboratories, Martlesham Heath, Ipswich, 
Suffolk, IP5 7RE. United Kingdom. 

BACKGROUND 

The use of cryptography to produce a secure method of user authenti- 
cation and to encipher traffic on data or digital links has been the 
aim of many of those defining theoretical schemes and techniques. 
This paper describes an experimental realisation of these aims in 
hardware, in order to provide a secure and authenticated communications 
channel. 

The communications channel in this case could be part of almost any 
service, such as videotex, teletex, Local Area Networks, packet data 
systems, telex or conventional telephone data links. 

SYSTEM REQUIREMENTS 

The basic objective is that authorised users, and only authorised 
users, should be able to exchange meaningful data over a link. 
This statement actually conceals not one but two tasks; firstly, 
verifying the identities of the would-be link users to one another 
(authentication) , and secondly, processing their data so as to make 
it unintelligible to eavesdroppers (encipherment) . Both criteria 
have to be met by electronic means without any excessive operational 
constraints or overheads. 

The traditional approach to the problem is for users ' encryption 
equipments to deploy a conventional algorithm such as British Telecom's 
B-Crypt (1) or the American Data Encryption Standard DES (2). Users 
exchanging information have to be party to the same key. Successful 
interworking then gives implicit proof of the user identities, but the 
need for the secure distribution of pre-agreed secret keys represents 
a massive overhead which becomes impractical in large systems. It is 
impossible to set up a secure communications link without an exchange 
of keys prior to link set-up, and this represents a severe if not 
prohibitive drawback in services such as LANs or teletex. 

Another approach is to use a public key algorithm such as PSA (3) . 
This can reduce the key management overhead to an acceptable level 
and at the same time authenticate user identity, allowing the secure 
links to be established between strangers. But most implementations 
of public key so far have been relatively inefficient, generally 
limited to a speed of operation of a few tens of bits per second. Thus 
they do not support the encipherment rates needed in many applications 
(4). 

However, by combining the conventional and public key methods in a 
system, it is possible to obtain the best of both worlds. Public 
key procedures are used at link set up time to prove user identities 
and establish a secret key which is used in the conventional 
encipherment of the data. This combination, in order to be applicable 
to most communications links and easy to use, needs to be defined 
carefully to overcome any inherent risks and to obtain an operationally 
secure system. 

The experimental system described here was designed to meet the 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 3-9, 1985. 
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following requirements: 

SECURITY To use public keys of up to 512 bits and any conventional 
algorithm desired. No long-term sensitive information to be 
within the equipment. 

SPEED The equipment should allow automatic set up of a secure 
link within 3 seconds. 

COMMUNICATONS LINK The units to be able to work on most types of 
links, at transmission speeds of up to 19 bytes, and be tolerant 
of link errors. 

USER FRIENDLINESS The interface and requirements placed on the 
system user to be secure as possible. 

USER IDENTITY The individual user to be identified by tokens, def- 
ining him and his access rights and privileges. The token needs 
to be unforgeable. 

USERS It should be possible to use the equipment for inter- 
terminal communications as well as for services involving hosts 
and databases . 

ENCIPHERING METHOD 

Bilateral Communications 

A participant A in an RSA-type public key system is provided with 
three entities; an exponent EA and a modulus MA which are public 
knowledge and comprise the 'public key 1 , and a further exponent 
DA which is known to A alone and comprises the' 'secret key'. A 
message P may be enciphered by raising P to the power EA (or DA) 
modulo MA to form ciphertext C. The original plaintext P is 
recovered by raising C to the power DA (or EA) modulo MA. Since 
DA is known only to A, this permits the following authentications: 

- Only A can recover the message enciphered under EA, so a 

user who enciphers data under A's public key can be confident that 
only A may understand the message, 

- Only A could originate a message enciphered under DA, so a 
user who deciphers a message using A's public key can be 
confident that only A could have sent the message. 

A number of possible public key protocols are possible which take 
advantage of these properties (5,6). The set-up protocol adopted 
in the experimental system create a random number R between A and B, 
keeping R secure against eavesdropping, as follows: 

1 An unenciphered link is established. 

2 A invents a random number RA, and enciphers it under B's 
public key to form SA=EA exp (EB) [mod MB] . Similarly, B 
forms SB=RB exp (EA) [mod MA] . 

3 The users exchange SA, SB. 

4 User A recovers RB-SB exp (DA) [mod MA], user B recovers 
RA=SA exp (DB) [mod MB]. 

5 Both users form R=RA xor RB. 

The conventional key subsystem then derives a key K so that the users 
may communi cate : 

6 Both users truncate R in the same way to obtain a key K 
and a initilisation vector IV. 
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7 Both users load K to encrypt all following data using the 
conventional algorithm. 

Unless both parties use the same K and commence secure communication 
with the same initialisation vector IV, the information exchange 
will fail, so authentication is complete in the first subsequent 
exchange of data. 

Multiple Users 

The simple protocol above can be modified to include multiple users, 
so that: 

1 User A creates RA and forms SAB=RA exp (EB) [mod MB] , 
SAC=RA exp (EC) [mod MC] . . . , while user B forms SBA, SBC...., 
C forms SCA, SCB.... etc. 

2 Users then exchange SAB, SAC SBA, SBC SCA, SCB 

etc. 

3 A then recovers RB=SBA exp (DA) [mod MA], RC=SCA exp (DA) 
[ mod MA] . . . . , B recovers RA, RC. . . . , and C recovers RA, RB. . . . 
etc. 

The conventional algorithm is then used for communication as before. 
Certification of Keys and Provileqes 

In a secure system a user could obtain the public key and privileges 
of access of his desired partner by interrogating a reliable public 
key directory. This limits the flexibility and response time of the 
system as a secure call to the directory must be made before key 
exchange can take place. 

A method of certifying keys is therefore introduced using a system 
public key known to an issuing authority. Extra steps are needed 
to establish the certificates which are then issued to the users: 

a System public key values ES, MS and DS are established. 

b ES, MS are widely distributed so that each user is assured 

of their values; DS is kept secret by the issuing authority. 

c each user is issued with a certificate of his identity, public 

key, and any other useful information (eg. access rights, 

privileges, name etc) protected using the system secret 

key DS . Thus user A's certificate could be CA=ZA exp (DS) [mod M:3] 

where ZA is the string formed by the concatenation of A: EA: MA: . . . . , 

or alternatively a certificate could be formed by appending a 

banking- message type authenti cator at the end of the string 

A:EA:MA. ... based on DS (7). 

The public key protocol now commences: 

1 Users A, B establish unenciphered links, 
la Users A, B exchange certificates. 

lb User A obtains B's public key EB, MB from ZB=CB exp 
(ES) [mod MS] , while B similarly obtains A's public key. 

This certificate system is also available for multiple users. 

SYSTEM REALISATION 

The experimental hardware is built to realise the protocols and enciphe- 
ring processes already described. The ease of use of the hardware, 
together with the security it could afford, were the two maxims that 
were employed when designing the system. Figure 1 shows the system 



6 



block diagram. 
Equipment Interface 

The system is housed in a stand-alone case, and uses V24 (RS232) serial 
interfaces to interconnect the user (terminal or system) to the 
communicatons link (modems, local area networks ■ etc) . Another replica 
unit is employed by the communicant at the other end of the communicat- 
ions link. 

Token 

The certified part of the key, 2A for user A (containing his 
privileges and public key), his secret key (DA) and A's copy of the 
system public key ES and MS are stored in this realisation on a 
DataKey (8), which is essentially a block of memory in the form of some 
Electrically Alterable Read Only Memory (EAROM) encased in plastic 
in the shape of a key. This key is certified, and the secret key is 
protected by being combined with an seven digit randomly selected 
number which is the Personal Identity Number (PIN) of the key holder. 
Other forms of token, such as magnetic cards, are equally suitable. 

Use 

The link is first established between the users in unencrypted mode, 
and the user requiring encipherment inserts his key into a 
receptacle. The key is then read, and the user is requested to enter 
his PIN by a message displayed on a liquid crystal panel. After his 
PIN has been entered, a message is sent to the distant user inviting 
him to insert his key and enter his PIN. The exchange protocol then 
takes place, and each user should then finish up with the same random 
number, which is used to derive the conventional enciphering key and 
initialisation vector. 

Finally, a verification message is then passed between enciphering 
systems to establish that the exchange has been successful. Each 
user is able to inspect the certified names of his partners as they 
are displayed on his own enciphering equipment. The user equipment 
is now able to conduct an enciphered communications session. 

The link is terminted by the withdrawal of a key, and the enciphering 
units are returned to plaintext mode. 

HARDWARE DEVELOPED 

User View 

The hardware developed in the initial phase consists of the user 
interface presented to the operator and three other sub-systems 
described below which implement the protocols adopted. The sub- 
systems are integrated into a small rack unit in this prototype 
realisation . 

The user connects the enciphering unit between his terminal and the 
communications link using the serial ports. He is presented with 
four interfaces: 

- A display to provide plain language instructions, status and 
fault conditions, 

An audio sounder to draw attention to operating conditions 
requiring attention. 
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- A numeric keyboard to input the PIN, 

- A key receptacle for the DataKey. 

Exponentiator 

A hardware public key exponentiator capable of exponentiation of 
numbers up to 512 bits in length. This uses • conventional TTL 
integrated circuits. The exponentiation of a 512 bit number takes 
about one second. The exponentiator connects to a controlling 
microprocessor by serial interfaces. 

Stream Cipher 

The conventional encryption is performed by equipment using B-Crypt 
in additive stream cypher mode or DES in cipher feedback mode. The 
control microprocessor loads the key and IV through a specially 
dedicated serial port, and the plaintext and ciphertext through a 
pair of serial ports. 

Control Microprocessor 

An Intel 80 85 is used as the control microprocessor. Serial ports 
connect the control circuitry to the user and communications link, 
and the exponentiator and stream encryptor. Parallel ports control 
liquid crystal display and PIN input pad. The protocol is implemented 
in software. 

RESULTS 

Two experimental units have been produced, and these have been 
tested on various links such as on a local area network and a modem 
line connection. The hardware has operated reliably, and is capable 
of going into encrypted mode within 3 seconds of initiation. This 
interval of time has proved acceptable to users. 

The experimental equipment produced has proved to be a valuable step 
towards the proof of the system viability. This concept forms the 
basis of a 'universal' encryption system, and further continuing 
evaulation and development is being carried out. The particular 
conventional and public key algorithms used in the initial stage are 
also subject to further scrutiny and evaluation. The overall system 
size is being reduced by adopting integration techniques on the various 
circuit elements. 
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A PUBLIC KEY CRYPTOSYSTEM AND A SIGNATURE 
SCHEME BASED ON DISCRETE LOGARITHMS 



TaherElGamal" 

Hewlett-Packard Labs 
1501 Page Mill Rd 
Palo Alto CA 94301 

ABSTRACT 

A new signature scheme is proposed together with an implementation of the Diffie - Kell- 
man key distribution scheme that achieves a public key cryptosystem. The security of both 
systems relies on the difficulty of computing discrete logarithms over finite fields. 

1. INTRODUCTION 

In 1976, Diflie and Hellman [3] introduced the concept of public key cryptography. Since 
then, several attempts have been made to find practical public key systems (see for example 
[8,7,9]) depending on the difficulty of solving some problems. For example, the RSA system 
[9] depends on the difficulty of factoring large integers. This paper presents systems that 
rely on the difficulty of computing logarithms over finite fields. 

Section 2 shows a way to implement the public key distribution scheme introduced by 
Diffie and Hellman [3] to encrypt and decrypt messages. The security of this system is 
equivalent to that of the distribution scheme. Section 3 introduces a new digital signature 
scheme that depends on the difficulty of computing discrete logarithms over finite fields. It is 
not yet proved that breaking the system is equivalent to computing discrete logarithms. Sec- 
tion 4 develops some attacks on the signature scheme, none of which seems to break it. 

This work was supported by the tiSF under contract ECS83 07741 while the author was at the 
information systems laboratory, Stanford University. 
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Section 5 gives some properties of the system. Section 6 concludes and gives some remarks. 

2. THE PUBLIC KEY SYSTEM 

First, the Diflie - Hellman Key distribution scheme is reviewed. Suppose that A and B 
want to share a secret K^g where A has a secret x A , and B has a secret xg. Letp be a large 
prime and a be a primitive element modp, both known. A computes y A - a A mod p, and 
sends y A . Similarly B computes y B = a* B mod p and sends y B . Then the secret K^g is com- 
puted as 

K^g = a' A " B mod p 

= Va' B ™<* P 
= yg 1 * mod p . 

Hence both A and B are able to compute K/&. But for an intruder computing K^g appears to 
be difficult. Note that it is not yet proved that breaking the system is equivalent to computing 
discrete logarithms. For more details refer to [3]. 

In any of the cryptographic systems that are based on discrete logarithms, p must be 
chosen such thatp — 1 has at least one large prime factor. If p - 1 has only small prime fac- 
tors, then computing discrete logarithms is easy (see [8]). 

Now suppose that A wants to send B a message m, where Oi msp — 1. First A chooses 
a number k uniformly between 0 and p — 1. Note that k will serve as the secret x A in the key 
distribution scheme. Then A computes the "key" 

K - yg k mod p . (l) 
where y B = a* B mad p is either in a public file, or is sent by B. The encrypted message (or 

ciphertext) is then the pair ( c j, c z ), where 

c ! = a* mod p. c 2 = K m mod p , (2) 

and K is computed in (1). 

Note that the size of the ciphertext is double the size of of the message. Also note that 
the multiplication operation in (2) can be replaced by any other invertible operation such as 
addition mod p. 

The decryption operation splits into 2 parts. The first step is recovering K, which is easy 
for B since K = ( o* )** = c ,** mod p , and x B is known to B only. The second step is to divide 
C2 by K and recover the message m. 

The public file consists of one entry for each user, namely y 4 for user i (since a and p are 
known for all users). It is possible that each user chooses his own a and p. which is preferable 
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from the security point of view but that will triple the size of the public file. 

It is not advisable to use the same value k for enciphering more than one block of the 
message, since if k Is used more than once, knowledge of one block m, of the message 
enables an intruder to compute other blocks as follows: 
Let 

0,^ = 0* mod p , c 2 j = m , K mod p , 

and 

c i z = a k mod p , c 2 2 = m z K mod p . 

m j j 

Then = '■ — mod p. and m 2 is easily computed if m, is known. 

m i c a.z 

It can be easily seen that breaking the system is equivalent to breaking the Diffie - Hell- 
man distribution scheme. First, if m. can be computed from c t , c 2 , and y. then K can also be 
computed from y. c j. and c a (which appears like a random number since * and m are unk- 
nown). That is equivalent to breaking the distribution scheme. Second, (even if m is known) 
computing k or x from c lr c z , and y is equivalent to computing discrete logarithms. The rea- 
son is that both x and k appear in the exponent in y and c v 

3. A DIGITAL SIGNATURE SCHEME 

A new signature scheme is described in this section. The public file contains the same 
public keys for encrypting messages as well as verifying signatures. 

Let to be a document to be signed, where Osm - 1. The public file still consists of 
the public key y = a* mod p for each user. To sign a document, a user A should be able to 
use the secret key x A to find a signature for m in such a way that all users can verify the 
authenticity of the signature using the public key (together with a and p), and no one can 
forge a signature without knowing the secret x A . 

The signature for m is the pair (r ,s), Osr ,«<f -1, chosen such that the equation 

a m = y T r* mod p (3) 

is satisfied. 

3.1. The Signing Procedure 

The signing procedure consists of the following 3 steps: 

A. Choose a random number k, uniformly between 0 and p - 1, such that 
gcd (* . p - 1) = 1. 
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B. Compute 

r = a* mad p . (4) 

C. Now (3) can be written as 

a m = a ZT a"' mad p .. (5) 

whish can be solved for s using 

77i = x r + k s mod (p — 1) . (6) 
Equation (6) has a solution for s if k is chosen such that gcd ( k , p — 1 ) = 1. 

3.3. The Verification Procedure 

Given m . r , and s , it is easy to verify the authenticity of the signature by computing 
both sides of (3) and checking that they are equal. 

Note 

As will be shown in section 4, the value of k chosen in step A should never be used more 
than once. This can be guaranteed, for example, by using as a "k generator" a DES chip used 
in the counter mode as a stream cipher. 

4. SOME ATTACKS ON THE SIGNATURE SCHEME 

This section introduces some of the possible attacks on the signature scheme. Some of 
these attacks are easily shown to be equivalent to computing discrete logarithms over GF(p). 
It is not yet proved that breaking the signature scheme is equivalent to computing discrete 
logarithms, or equivalent to breaking the distribution scheme. However, none of the attacks 
shown in this section appear to break the system. The reader is encouraged to develop new 
attacks, or find fast algorithms to perform one of the attacks described in this section. The 
attacks will be divided into two groups. The first group includes some attacks for recovering 
the secret key x, and in the second group we show some attacks for forging signatures 
without recovering x. 

4.1. Attacks aiming to recover x 

4.1.1. Given (771^:1=1,2, ■• ,ij documents, together with the corresponding signa- 
tures \ (r 4 , Si) : i = l,2, ■ • , I j, an intruder may try to solve I equations of the form (6). 
Since there are I + 1 unknowns (since each signature uses a different fc), the system of 
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equations is underdetermined and the number of solutions is large. The reason is that each 
value for x yields a solution for the k^'s since a system of linear equations with a diagonal 
matrix of coefficients will result. Since p — 1 is chosen to have at least one large prime factor 
q. recovering x mod q requires an exponential number of message-signature pairs. 

Note 

If any k is used twice in. the signing, then the system of equations is uniquely determined 
and x can be recovered. So for the system to be secure, any value of k should never be used 
twice. 

4.1.2. Trying to solve equations of the form (3) is always equivalent to computing discrete 
logarithms over GF(p). since both unknowns x , andfc appear in the exponent. 

4.1.3. An intruder might try to develop some linear dependencies among the unknowns { 
ki , i=l,2, ■•• . i J. This is also equivalent to computing discrete logarithms since if 

fc t = c kj mod (p — 1), then r 4 = Tj° mad p. and if c can be computed then computing 
discrete logarithms is easy. 

4.2. Attacks for Forging Signatures 

4.2.1. Given a document m, a forger may try to find r , s such that (3) is satisfied. If 

r = a? mod p is fixed for some j chosen at random, then computing s is equivalent to solving 
a discrete logarithm problem over GF{p). 

If the forger fixes s first then r could be computed from the equation 

r* y r = A mod p . (7) 
Solving equation (7) for r is not yet, proved to be at least as hard as computing discrete loga- 
rithms, but we believe that it is not feasible to solve (7) in polynomial time. The reader is 
encouraged to find a polynomial time algorithm for solving (7). 

4.2.2. It seems possible that (3) can be solved for both r and s simultaneously, but we 
have not been able to find an efficient algorithm to do that. 

4.2.3. The signature scheme allows the following attack, whereby the intruder, knowing 
one legitimate signature for one message, can generate other legitimate signatures and mes- 
sages. This attack does not allow the intruder to sign an arbitrary message and therefore 
does not break the system. This property exists in all the existing digital signature schemes 
and can be avoided by either requiring that tti has to be of certain structure, or by applying a 
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one-way function to the message m before signing it. 
Given a signature (r,s) for the message (m). then 

a m = y T r* mod p. 

Select integers A . B. and C arbitrarily, such that (Ar - Cr) is relatively prime top - 1. Set 

r'=r A a B y c mod p, 
s' = sr'/ (Ar - Cs) mod (p - 1). 
and m' = r'(Am + Bs)/ (Ar - CS) moci (p - 1). 
Then it is claimed that (r'.s') signs the message (m'). Calculate 

y r ' T "' = y , '(r'* a* y £)•'■•>'(*• - «*) 
=((y r r*)*" a *r')i/t*- - a) 

=a m ' (all calculations modp). 
As a special case, setting A - 0, legitimate signatures can be generated with corresponding 

messages without ever seeing any signatures: 

r' = a B y c mod p. 
s' = - r '/ C mod (p - 1), 
to' = -r' B/ C mod (p - 1), 
It can be shown that (r'.s') signs (m'). 



5. PROPERTIES OF OUR SYSTEM AND COMPARISON TO OTHER SIGNATURE SCHEMES AND PUB- 
LIC KEY SYSTEMS 

Let m be the number of bits in either p for the discrete logarithm problem, or n for the 
integer factoring problem. Then the best known algorithm for both computing discrete loga- 
rithms and factoring integers (which is the function used in some of the existing systems such 
as the RSA system [9]) is given by (see [1,5,10]) 

0 ( exp vc m Inn ) , (B) 
where the best estimate for c is c = 0.89 for factoring integers, (due to Schnorr and Lenstra 

[10]), as well as for discrete logarithms over GF(p) (see [5]). These estimates imply that we 

have to use numbers of about the size of the numbers used in the RSA system to obtain the 

same level of security (assuming the current value for c for both the discrete logarithms 

problem and the integer factorization problem). So, the size of the public file is larger than 

that for the RSA system. (For the RSA system, each user has one entry n as his public key 

together with the encryption key in the public die.) 
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5.1. Properties of the public key system 

As shown above our system has some differences with the other known systems. First, 
due to the randomization in the enciphering operation, the cipher text for a given message m 
is not repeated, i.e. if we encipher the same message twice we will not get the same cipher 
text jc ! , c s j. This prevents attacks like a probable text attack where if the intruder suspects 
that the plain text is, for example, m, then he tries to encipher m and finds out if it was 
really m. This attack, and similar ones, will not succeed since the original sender chose a 
random number k for enciphering, and different values of k will yield different values of 
jc, , c s j. Also, due to the structure of our system, there is no obvious relation between the 
enciphering of m,, m^. and m l m z , or any other simple function of tn.j and m 2 . This is not the 
case for the known systems, such as the RSA system. 

Suppose thatp is of about the same size as that required for n in the case of the RSA 
system. Then the size of the cipher text is double the size of the corresponding RSA cipher 
text. 

For the enciphering operation two exponentiations are required. That is equivalent to 
about 2 log p multiplications in CF(p). For the deciphering operation only one exponentia- 
tion (plus one division) is needed. 

5.2. Properties of the signature scheme 

For the signature scheme using the above arguments for the sizes of the numbers in our 
system and the RSA system, the signature is double the size of the document. Then, the size 
of the signature is of the same size as that needed for the RSA scheme, and half the size of the 
signature for the new signature scheme that depends on quadratic forms published by Ong 
and SchnorrfB], and also Ong, Schnorr, and Shamir[7] (since both systems are based on the 
integer factoring problem). The Ong-Schnorr-Shamir system has been broken by Pollard and 
new variations are being suggested. Thus it is not clear at the present time whether a secure 
system based on modular equations can be found and hence no further remarks will be made 
regarding these schemes. 

Note that, since the number of signatures is p 2 while the number of documents is only p. 
that each document m has a lot of signatures, but any signature signs only one document. 

For the signing procedure, one exponentiation (plus a few multiplications) is needed. To 
verify a signature, it seems that three exponentiations are needed, but it was pointed to the 
author by A. Shamir that only 1.875 exponentiations are needed. This is done by representing 



17 



the three exponents m , r , s in their binary expansion. At each step square the number 
a~ 1 yr ant * divide by the necessary factor to account for the different expansions of m,r, and 
s. The different multiples of ct~ 1 , y , and r can be stored in a table consisting of eight 
entries. We expect that 0.875 of the time a multiplication is needed. That accounts for the 
1.875 exponentiations needed. 

6. CONCLUSIONS AND REMARKS 

The paper described a public key cryptosystem and a signature scheme based on the 
difficulty of computing discrete logarithms over finite fields. The systems are only described 
in CF(p). The public key system can be easily extended to any GF(p m ). but due to recent 
progress in computing discrete logarithms over GF(p m ), where m is large (see [2,5]), it is 
advisable to use GF{p) instead since it seems that it is harder to compute logarithms over 
GF(p) than over GF(q m ) for large m. if p and q m are of the same size. The subexponential 
time algorithm has been extended to GF(p 2 ) [4] and it appears that it can be extended to all 
finite fields. Hence, it seems that it is better to use GF(p) for implementing any crypto- 
graphic system. The estimates for the running time of computing discrete logarithms and 
factoring integers are the best known so far. These estimates imply that the public file size is 
larger in this scheme than in the RSA scheme, but the difference is at most a factor of two 
due to the structure of both schemes. Also the size of the cipher text is double that of the 
RSA system. 
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ABSTRACT. 

The undecidable word problem for groups and semigroups is investigated as a basis 
for a public-key cryptosystem. A specific approach is discussed along with the results 
of an experimental implementatioa This approach does not give a provably secure or 
practical system, but shows the type of cryptosystem that could be constructed around 
the word problem. This cryptosystem is randomized, with infinitely many ciphertexts 
corresponding to each plaintext 

1. NP-COMPLETE PROBLEMS. 

The idea of using an NP-complete problem to construct a public-key cryptosystem 
(PKC) seemed promising [Diff76], but has not been successful historically. The earliest 
such PKC was based on the integer knapsack problem, and recently various versions of 
this PKC have been broken by general, powerful attacks (Sha83a], [Adle83]. (In this case, 
the attacks have been carried out on the type of trapdoor inserted, and not directly on the 
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knapsack problem itself.) Other PKCs based on NP-complete problems have been pro- 
posed, but none seems successful so far. 

There is a hierarchy of decision problems, from simplest to hardest, extending 
from polynomial-time problems, through NP-complete problems, to the undecidable 
problems (the hardest of all) [Tarj83], [Aho74]. 

NP-complete problems are often regarded as lying on the "boundary" of intract- 
ability, i.e., they are the simplest known "natural" problems which are intractable. 
Stated differently, if an NP-complete problem is even slightly weakened, it may no 
longer be intractable. In constructing a PKC, one must insert a trapdoor, and after 
allowing for all the various kinds of attacks, we would not usually expect to have a 
"pure" NP-complete problem remaining. 

Along similar lines Brassard [Bras79] has shown that, with a few restrictions, if a 
cryptosystem were provably NP-complete to break, then the theoretical result NP- co-NP 
would follow. This latter result is widely conjectured to be untrue, though no proof is 
available [Gary 79]. Thus the cryptanalysis of a PKC based on an NP-complete problem 
would be easier than NP-complete, hence likely a tractable computation. 

There is a large body of theory about NP-completeness, but the theory only applies 
to worst-case analyses and to arbitrarily large problem instances. For example, the 
integer knapsack problem is not strong NP-complete, meaning that polynomial-time 
algorithms are available unless "exponentially large" integers are used in the problem 
instance [6ary79], (Problems that are not strong in this sense are said to be solvable in 
pseudo-polynomial time) 

Two other classes of polynomial-time algorithms can be used to try to solve 
NP-complete problems. There are clever approximation algorithms which always get a 
approximate answer, though not necessarily the exact answer. (See [Gary 79] and 
[Horo78] for examples.) There are also non-deterministic algorithms, which give an 
exact answer but may not give any answer at all [Horo78]. Of course there is no known 
polynomial-time algorithm that will solve worst-case, arbitrarily large problem 
instances, but algorithms like those above might force unacceptably large instances of 
an NP-complete problem if a PKC using it is to be secure. 
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There is specialized problem, factoring, that has become the basis for several 
cryptographic applications, including 

• the RSA-like cryptosystem with exponent 2 [Rabi79], [WU180], 

• the generation of a cryptographical ly secure random number generator 
[Sha83c], and 

• the exchange of secret keys without an arbiter [Blum83]. 

Each has a protocol with a complete security proof, assuming that factoring is intrac- 
table. And of course the RSA cryptosystem itself, while not equivalent to factoring, 
depends on the difficulty of factoring for its security [Rive79]. New applications that 
depend on factoring appear regularly [0ng84]. As long as factoring remains intractable, 
we are in a good position, but we are overdependent on the computational complexity of 
one particular problem. 

The exact complexity status of the factoring problem is not known, though as with 
knapsack, factoring is easily solved in pseudo-polynomial time. As before, even if no 
polynomial-time algorithm is found, unacceptably large integers might eventually be 
required to keep the problem intractable. 

* * * * 

Thus it seems natural and desirable to look toward harder problems as the basis 
for a PKC. There are various provably intractable problems [Aho74], and of course the 
undecidable problems for which no general algorithmic solution can exist. It is impor- 
tant to note that for a PKC one could use only a special instance of one of these 
harder problems. The difficulty of cryptanalysis would still be in the class NP. 

This paper is the result of an initial look at various undecidable problems, trying 
to construct PKC's. We are concentrating on a particular problem along the lines of an 
earlier paper [Wagn84], with more specific details included here. 

2. THE WORD PROBLEM. 

There are undecidable problems for finitely presented groups and for semigroups. 
First we need a number of definitions. (See [Iiagn66j, [Rotm73], [Crow63], [Lynd77].) A 
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finitely presented group 6 consists of generators x v ^ .... x n , which are just 
abstract symbols, and relators - e, r 2 ~ e, r m ~ e, to be defined below. 
Corresponding to each generator x f there is an inverse xj^. A word In 6 is a finite 
string made up of symbols x f and xj s . The empty string e is also a word, the 
identity of the group. Each of the r f above is a word The group operation for 
combining words is concatenation. For each word w, the inverse word w~ 1 consists 
of all the symbols of w written in reverse order, where each x f - is replaced by *y ' and 

each xj 1 is replaced by x f . 

The group 6 consists of equivalence classes of all possible words. Two words w 
and v are equivalent in 6 If we can transform w to v by a finite sequence of 
replacement rules of the form 

Rule (1): changing x f or xj x x f to e, that is eliminating x f xj^ or 

Xj ' Xj, 

Rule (ID: introducing x f x f ~ ] or xj^ x f at any point, 

Rule (iii): changing rj or rp to $ that is eliminating rj or rr', 

Rule (iv): introducing /y or /y 1 at any point. 

There is a more formal way to define these concepts. First the free group F on 
generators x v x^, .... x n is defined as the set of all words in the x f and Ay" 1 that are 
reduced by repeatedly cancelling out x f xf ] and x~ x Xj until no further cancellations 
are possible. Let R be the normal subgroup generated by the words r v r 2 , r m . {R 
is the Intersection of all normal subgroups containing the r f .) Finally 6 is the quotient 
group F/R. 

The word problem for a group 6 is the decision problem that asks for each 
word w, whether w is equivalent to the identity of G. (Equivalently one can ask 
whether two given words are equivalent.) It turns out that there exist specific groups 
for which the word problem Is undecidable [Novl55], [Boon59], [Rabf58]. Like any 
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undecidable problem, the word problem can only be undecidable as a question asked about 
infinitely many words — any finite collection of words must have a decidable word 
problem. 

Finitely presented groups are extremely complex objects. For example, the free 
group on two generators with no relators contains within it as a subgroup the free group 
on a countably infinite number of generators. There is a great deal of structure and 
theory associated with such groups and with the word problem. A number of researchers 
devote their entire energies to this subject [Lynd77]. 

There is a similar and simpler word prod /em for semigroups We start with 
generators and words in the generators as before but without the inverses. Instead of 
relators we have a list of equations of the form a x = b v a^ = t^. .... a m = t> m . In 
defining equivalent words we can only replace any occurrence of 5, by b f and vice versa. 
The word problem for semigroups again asks if we can decide whether two given words 
are equivalent. Using the halting problem, for example, it is easy to see that there is a 
specific semigroup for which the word problem is undecidable. 

All of our discussion of groups in this paper can be regarded as just a special case 
of semigroups since one could regard the group as a semigroup with extra symbols xj^ 
and extra equations x f xj^ = e, etc. Thus a semigroup would just be more general and 
flexible for our applications. We have chosen to emphasize groups because they seem to 
fit in naturally with our main ideas for cryptosystems and because of the enormous 
amount of research on groups and their word problems. One hopes that such a thoroughly 
studied problem might someday yield a good theoretical foundation for a cryptosystem. 

3. PUBLIC-KEY CRYPTOSYSTEMS. 

The word problem is similar to the knapsack problem in that both are "natural" 
problems for public-key cryptosystems, i.e., both immediately and directly allow public 
encryption. The difficulty is to insert a trapdoor that will allow decryptioa (See 
[Diff76D 
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The trapdoor then becomes a point of weakness for cryptanalytic attacks. We feel 
that a harder problem may make direct attacks more difficult and allow more leeway for 
such trapdoor insertions. 

To use the word problem to encrypt a single bit, start with a finitely presented 
group 6 and with two "special" words and w 2 known to be Inequfvalent In 6. Choose 

one of and w 2 30(1 randomly apply Rule (i) through Rule (iv) to the word, resulting in a 

word v equivalent to either w x or w 2 (but not both). Thus the public key consists of the 

group 6 and the special words and w 2 . 

This is a randomized encryption procedure in the sense of [Rive83]. There are 
infinitely many possible ciphertexts corresponding to each plaintext bit, and the system 
has an arbitrarily large expansion factor. 

This property of a large expansion factor is not new. In fact the homophonic 
ciphers introduced centuries ago fDenn82] associate one of a (finite) set of ciphertext 
elements with each plaintext element. In this case security is increased with greater 
expansion factors to perfect security "when each letter of plaintext enciphers into a 
unique ciphertext symbol" [Denn82]. As another example Brassard [Bras81] mentions a 
message length n to ciphertext length /?■ expansion. More generally various random- 
ization techniques [Rive82] can be used to trade a larger expansion factor for the 
likelihood of increased security. 

One can improve the large expansion factor in our system as follows: to encrypt n 
bits, select q= 2 n mutually inequlvalent special words w v w 2 , .... w q . Choose one of 

these and encrypt as above. This gives an /?-fold improvement in expansion factor, but 
makes the "special word" part of the public key 2" times as long. 

With good choices for the group and special words in the encryption method de- 
scribed above, it appears that decryption can be made very difficult. Decryption diffi- 
culty also depends on the number and type of replacements made during encryption. 
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4. TRAPDOOR INSERTION. 

There are surely many ways to insert a trapdoor. We present one general approach 
in section 4.1. Section 42 discusses cryptanalysis, and section 4.3 gives a more specific 
approach whose implementation is discussed in section 5. 

41. GENERALITIES. 

Start with a finitely presented group 

G = ^ x n \ r, = e, r 2 = e, .... r m = e ), 

and add more relators 

5, = <?, ^ = e, .... s p = e, 

to get another finitely presented group G'. There is a special relationship between 6 
and 6'. In formal group theory terms if N is the normal subgroup of 6 generated by the 
words Sp .... s p , then G' is the quotient group G' = 6/N. There is a natural 
function (the quotient mapping) Q-.G — > ^'defined as follows. If at is a group 
element of 6 (= equivalence class of words) let w be any word representing x. Then 
Q{x) is just the equivalence class of w within 6'. For us the most important property 
of 0 is the following: if x and y are equivalent in 6, then Qix) and Q{y) are 
equivalent in 6'. Stated another way, if Q(x) and 0(/) are not equivalent in 6', then x 
and / must be not equivalent in G. (The converse does not hold: in fact it is easy for 
elements not equivalent in G to "collapse" to equivalent elements in G'.) 

For this trapdoor to work, the w, and w 2 from G that are part of the public key 
must have the property that Q( »*,) and Q( *f 2 ) are not equivalent in G\ To decrypt one 
needs to decide in G' which of 0( w x ) and 0( w 2 ) the word 0(/) is equivalent to, i.e., one 
needs to solve the word problem in G', at least for some words. (0(/) must be 
equivalent in G' to one or the other, but not both.) 
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The idea behind this method is that the word problem in 6 might be intractable, 
while the extra relators {s,- = e) might simplify things so that there is an efficiently 
solvable word problem for 6'. This general decryption method would work both for the 
owner of the PKC and for an opponent attempting cryptanalysis. This method is a 
standard way in group theory to show that two elements are not equivalent. 

42. CRYPTANALYSIS. 

We now list possible cryptanalytic attacks on this type of cryptosystem. Assume 
that a finitely presented group 6 is given along with two special inequivalent words *f, 

and w 2 f° r * ne public key. We regard the quotient group G' or the extra s t - e relators 

as the secret key. One of or w 2 is chosen and encrypted to form a word y 
Attack (a): Find a tractable algorithm which decides the word 
problem in 6. With this algorithm, one directly decides which of or w 2 

is equivalent to y Silles Brassard has pointed out that there is always a 
simple but impractical constructive algorithm that works for two words (or 
finitely many words): just try all possible sequences of replacements in 
parallel on w, and w 2 , producing the word / in a finite amount of time. Thus 

as we have mentioned before, in no sense is cryptanalysis undecidable. 
However, one hopes that with a good choice of 6, there will be no tractable 
algorithms for direct attacks of this sort. 

Attack (b): Find extra relators [s ; - * e) with Quotient group 6' , 

so that 0( w x ) is not equivalent to 0( w 2 ) and so that there is a 

tractable algorithm in 6' to decide the word problem. This Is just 
the general method mentioned in section 41. These particular extra relators 
do not need to be the same as In the secret key — Just so the other conditions 
are satisfied. Guarding against this bothersome attack is the main reason for 
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the complexity of section 5. 

Attack (c): Use a brute- force attack on a PKC, in which one 
decrypts the ciphertext under each possible secret key. This attack 
would succeed and shows that cryptanalysis is in the class NP. However, 
unlike the situation with a traditional PKC, here there is no fixed bound on the 
size of the smallest secret key that would work for decryption. There might 
be inf intely many possible candidate secret keys to try, and success might 
take arbitrarily long. (The specif ic system described in section 5 has only 
finitely many possible secret keys for each public key.) 

Attack (d): Regard the system as a conventional cryptosystem J 
and use a brute- force known plaintext attack in which the plain- 
text is encrypted under each possible key. This attack is almost 
hopeless, since even with the correct key the ciphertext is not determined, 
and since there is no bound on the number of keys to try. 



4.3. DETAILS. 

In order to construct a specific trapdoor, we propose choosing the additional 
relators [s / = e] so that each of the r f = e becomes trivial. The words r t are also 
chosen to facilitate this. Consider extra relators of one of three forms: 

Type (S I ): {Elimination of a generator) 

Xj = e, for some specific /. (Thus any occurrence of x f just 

drops out) 

Type (S2): ( Collapse of two generators to one) 

x j xj~ ' - e j or Xj Xj - e, for specific / and / (Any 

reference to Xj can be replaced by x f or by x/ ] .) 

Type (S3): ( Commutator of two generators) 

Xj Xj xj^ x^ - e, or x f Xj • Xj x jt for specific / and / 

KXj and Xj commute.) 

Such extra relators might greatly simplify the r f words, in fact we will choose 
the r f and the s.- in such a way that each r f , in conjuction with all the Sj , will reduce 
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to the empty word e. After eliminating and collapsing generators, the group G' will 
have only relators of type (S3) (the commutators). Thus 6' will be a free group in 
which certain pairs of generators commute. There is a simple (polynomial-time) 
algorithm which decides the word problem for such a group. (See section 5.) Notice that 
in 6 ' the special words and w 2 must still not be equivalent. 

This method for inserting a trapdoor could also be as an attack by an opponent, a 
special case of Attack (b) of the previous section. 

Attack (b): Find extra relators {s f = e) of types (Si), (S2) and 
(S3) such that 

(i) each r f word becomes trivial, and 

(ii) even with the extra {Sj = e\ relators, the words w } 
and w 2 are still not equivalent. 

We propose to choose the special words w } and w 2 so that for 'most" choices of 

s f = e relators, condition (if) will not be true. Here is our approach in outline form. 

Given a large collection of r f - e relators the opponent or PKC originator must introduce 

many commuting pairs of generators in order to make all the r f trivial. So in the 

simplified group 6\ most pairs of generators will commute. The PKC originator will 
have a small (secret) subset of non-commuting pairs. 

It Is fairly easy to construct arbitrarily many inequlvalent words that reduce to e 
if any one of a-set of pairs commutes. For a single pair {x x , x^, just use the word 

*\ -^i" 1 *£ x or x \ x \~* (*2 -1 ) 2 . etc - For a recursive general definition, assume 
v is a word that reduces to e in case any one of a set U of pairs commutes. Assume v 
and Knave the same property. Then the word u ks 1 v~ ] will reduce to e in case any 
one pair commutes from the union of the sets U and V. 

in this form, w % and w 2 would still not work in a public key. Before publishing 

them, they must be encrypted as we have described, so that the set of commuting pairs 
will no longer be recognizable. 
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5. AN EXPERIMENTAL IMPLEMENTATION. 

We have chosen specific parameters, relators, and special words and have written 
a computer program to implement an example cryptosystem. We should emphasize that 
we are only attempting a rough implementation to demonstrate the feasibility of this 
system, and to stimulate further research. Much more work will be required before 
anyone could rely on the security and practicality of any cryptosystem similar to this 
one. 

The relators r f - e are chosen so that for each generator Xj appearing in r f there 
is a corresponding xf ] . Then it is easy to make each r f trivial by allowing certain 
pairs to commute, i.e., adding relators of type (53) (section 4.3). Adding relators of 
types (SI ) and (S2) will give alternative ways to make the r f trivial. The basic idea is 
to present an opponent with a very large number of ways to get rid of the r f relators. 

We might hope that the opponent would have to search for the secret subset of non- 
commuting pairs in order to break this system. 

After some searching around, we have settled on relators of three types for the 
original [r f - e], where below x^ Xj, x k , and x f stand for arbitrary generators or 
inverses of generators. 

Type (R 1 ): x f Xj x k x, xf 1 xf 1 xf 1 ■*/""' = <?, 
Type (R2): x f Xj x k x f ~ ] xf ] xf x - <?, and 
Type (R3): x f Xj x k xj 1 xf 1 xf 1 = e. 

We mostly use relators of type (Rl ) with some of types (R2) and (R3). We do not know 
the complexity of the word problem for a group made up of relators of these forms, so 
that Attack (a) of section 4.2 might succeed. (It would be better to start with a group 6 

with an undecidable word problem.) 

Type (Rl ) has the advantage that there are seven distinct ways to make such a 
relator vanish using a minimal number of extra relators of types (S2) ( collapsing) mi 
(S3) ( commutators ). (Type (S 1 ) ( elimination ) relators are rather too drastic to use 
much, if at all.) For example, suppose we use an extra collapsing relator 
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XjX,*e, or Xj = xj\ 
and three extra commutators 

*i x k *t 1 *k 1 " e - or x i x k = x k x r 

Xj x k Xj~* xf* = e, or x } ■ x k = x k Xj, and 

x k x / x k~ ] X J S = e > or x k x ! = x l x k 
The original relator simplifies as follows 

Xj Xj X k Xf Xj 1 X k ' Xj 1 Xj 1 = 
XjXjX k Xj~ ] X/ ] Xf X Xj~ S Xj = 

*i*j x k x j* X J X x i ] ' 

Xj Xj Xj 1 jr^ jrr' jry 1 = x f x k x' ] xf l = e. 

There are four other very similar distinct methods to make this relator vanish. In 
additon, just setting x f * x f makes everything drop out and making five of the six 

possible pairs commute also makes the relator vanish. 

Along similar lines there are three ways to make a relator of type (R2) vanish and 
two ways for a relator of type (R3). Of course any of these relators will vanish if one 
just allows all relevant pairs to commute, with no need to include the pair (Xj, x k ) in 
types (RI)or(R3). 

In making up a specific PKC we have chosen four non-commuting pairs and made up 
special words (at least 64 symbols long) that would vanish if any one of the four pairs 
commuted. These pairs were chosen so that for each pair there is a specific r f - <? 

relator so that all but one way of making the word r f trivial will also make the given 

pair commute. Thus if an opponent uses Attack (b ) of section 43, then in making each r f 

vanish, he will very likely make one or more of the crucial pairs commute, and so the 
special words will also vanish. (In order to keep the special word from degenerating, it 
was necessary to add extra non-commuting pairs.) 

Applications of the replacement rules (i) through (iv) are more complicated than 
one might expect. For example, suppose we have a relator 
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r \ " *\ *2 *b X 4 *S % ' e 

and a word 

w ~ x z x \ x 2 

Then in the equation r x - e , multiply on the left by x£ x xf* and on the right by j^ -1 to 
get 

X Z x 4 *>' V 1 
Taking the inverse of both sides gives 

Thus in a group with the relator r t = e, the word w = x^\s equivalent to the 

word 

x z V 1 V 1 

(The process given above can be redone using just Rules (i) through (iv) in a formal 
fashioa) 

In general we can write the generators of a relator clockwise in a circle, and any 
clockwise connected string can be replaced by the inverse of the complementary string, 
plus inverses of these replacements. The relator of length 6 above allows 72 different 
possible replacements, and a relator of length n allows Our computer program 
attempts to look for replacements where the string being replaced is as long as possible. 
This kind of string matching can be done fairly efficiently using a variation of the 
Knuth-Morris-Pratt algorithm [Aho74]. 

In actual runs of our experimental implementation, we tried n = 25 and n = 50 
generators. (We think the latter size might provide moderate security against attacks 
we can visualize.) The special words jf, and w 2 are first made up as described in 

section 43, and then must be "pre-encrypted" before public release to hide the 
non-commuting pairs used in making them up. Actual public encryption just consists of 
more of the same kinds of replacements. Table 1 shows sets of parameters for two 
cryptosystems. 
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Table 1. Parameters for two experimental cryptosystems. 



Number of Generators 


25 


50 


Number 


Type Rl 


34 


153 


of 


Type R2 


6 


21 


relators 


Type R3 


6 


20 


in 6 


Total 


46 


194 


Pairs of gener- 


Total 


300 


1225 


tors in 6 


Non-commut. 


19 


29 


Number of 


Type 51 


0 


0 


additional 


Type 52 


3 


3 


relators 


Type S3 


220 


1067 


in 6 


Total 


223 


1070 


Length of 


Original 


64 


64 


special word 


Encrypted 


~ 1/4 symbol 


~l/2 symbol 






per replacem. 


per replacem. 


Public key size (bits) 


~1000- 


-10000 






2000 




Expansion factor (minimum) 


~50-500 


~100-1000 



The replacements used for public encryption pose interesting problems. There 
need to be many random choices in the invocation of these replacements, but we do not 
want things completely random because we want the lengths to stay within reasonable 
bounds. It is also necessary that all parts of the original word get acted upon. Finally, 
we do not want a replacement to just undo the action of a previous replacement To help 
with these goals, we maintained a "ghost" string in parallel with the real string being 
encrypted. The ghost keeps track of which string symbols have been replaced, using 
which relator. The replacement strategy was to choose a string location and relator at 
random, and to definitely use that relator for a replacement, trying first near the chosen 
location. But the algorithm was given some leeway to try to achieve the above goals. We 
performed thousands of replacements on the special words to get an idea of the 
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asymptotic behavior. With 50 generators, the last of the original symbols of the special 
word was replaced after about 1000 replacements. The encrypted special words were 
growing at the rough rate of half a symbol per replacement. 
(After 2000 replacements, the special words were about 1 100-1200 symbols long, 
though the rate of increase seemed to be slowing down.) With a better choice of the set 
of relators [r f = e) or with more of them, encryption might not have a lengthening 
effect at all. We hope there is a clever way to do the design so that cryptanalysis is 
provably equivalent to some standard problem from combinatorial group theory, just as 
other systems have been proven equivalent to factoring (see section 1 ). 

For decryption in 6\ we need to solve the word problem for a free group with 
some commutators. The algorithm converts any word to a standard form In two phases. 
First consider any substring of the form ...xyx"'..., where x is a generator, y is a string, 
and x commutes with every generator in /. In such a case we cancel x and x~\ Such 
cancellations are repeated until no more are possible. (One needs to argue that any 
choices along the way do not affect the final outcome.) The second part of the algorithm 
uses a bubblesort-type method to make sure any adjacent commuting pairs are in a 
standard order. 

In constructing these experimental cryptosystems, most relators were just chosen 
at random after deciding on the trapdoor. With more care, one could create the trapdoor 
after the relators. In this way the public relators could be represented pseudo-random ly, 
greatly reducing the public key size. 

As part of the experiment, we simulated one simple attack by the opponent For 
each type R1 relator we made five of the six pairs commute so that the relator would 
vanish, and similarly for types R2 and R3. Then of course several of the crucial pairs 
used in the special words commuted, so that these special words just reduced to <?. We 
hope that it would be an intractable problem for the opponent to achieve any other result. 
There are various brute-force searches that the opponent could try, but each such search, 
for 50 generators, seems to involve more that 10 9 possibilities. 



34 



6. CONCLUSIONS. 

We have made a case for basing cryptosystems- on problems harder than 
NP-complete. As an illustration, we have used the undecidable word problem for groups 
to design a public-key cryptosystem. Public encryption is straightforward, but trapdoor 
insertion requires further study. An experimental system was implemented and seems 
resistent to initial cryptanalytic attacks. This system has a large key size and 
encryption time, and an excessively large expansion factor, at least 100 to 1. 
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ABSTRACT 

Signatures based on polynomial equations modulo n have been intro 
duced by Ong, Schnorr, Shamir [3]. We extend the original binary quad- 
ratic OSS-scheme to algebraic integers. So far the generalised scheme 

is not vulnerable by the recent algorithm of Pollard for solving 
2 2 

s. + k s_ = m (modn) which has broken the original scheme. 



1 . INTRODUCTION 

Diffie and Hellman [1] introduced the concept of digital signa- 
ture and that of public key cryptosystem. The RSA system [6] is current- 
ly believed to be the most secure scheme for both purposes. A new type 

2 2 

of signature scheme based on the quadratic equation + k = m (modn) 

has been proposed by Ong, Schnorr, Shamir [3]. Here m is the message, 

s.| and S2 are the signature, and k and n are the publicly known key. 

The new scheme would be much easier to implement than the RSA-scheme, 

but it has been broken by a recent algorithm of Pollard which solves 
2 2 

the equation x + ky = m (modn) without factoring n. 
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In this paper we consider signature schemes based on more general 

polynomial equations modulo n. In particular we extend the original 

OSS-scheme from rational integers to algebraic integers. This leads to 

2 

a signature scheme based on the quadric equation (m - 2ks n s 01 ) + 

2 2 2 2 lii^l 

+ 4 S22( ds -]2 + k ' s 2l + ^ s 22^ ~ m 1 ' = 0 ( modn ) where m^ and are the 
message, s^* s 2i an< ^ s 22 are the si 9 nature » a n d the public key con- 
sists of the integers k,d,n with 1 1 k,d < n . The private key is the 
square root V-k (mod n) . Signature verification can be done with 10 
multiplications on integers modulo n, signature generation requires 9 
multiplications and 1 division modulo n. 

All participants of the system may share the (d,n)-part of their 
public key provided that the factorisation of n is completely unknown. 



2. SIGNATURES BASED ON POLYNOMIAL EQUATIONS 

When Alice joins the communication network she publishes a key 
consisting of two parts: a modulus n and the integer coefficients of a 
polynomial P(s.j , . . . , s^) £ 2Z [ s 1 , . . . , s^] with indeterminates , . . . ,s^. 
The modulus n is the product of two large random primes p,q. The facto- 
rization of n should be unknown, except possibly to Alice. In order to 
prevent factoring of n by known factoring algorithms n should be at 
least 600 bits long. The coefficients of P are integers in the range 

TL := {c € 7L : 0 1. c < n}. The elements in 7L are used as representatives 
n n 1 

for the ring Z2/nZS of integers modulo n. Typically P will only have a 
few coefficients. 

The messages m are numbers in 7Z^. A tuple s = (s.j , . . . , s^) of num- 
bers in the same range is a signature for m if it satisfies the equation 

(1) P (s^ , . . . , s^) = m (mod n) . 

Given the coefficients of P and n it is easy to verify Alice's signa- 
tures by evaluating P (s.j , . . . , s^) with a few modular multiplications and 
additions . 

Unlike the RSA system, signatures are not uniquely associated with 
messages. Since the number of possible messages is n while the number 
of possible signature tuples is n d , each message has about n d-1 diffe- 
rent signatures. However, the probability that a randomly chosen tuple 
s = (s^,...,s^) will be a valid signature of a given m is negligible, 
and thus the multiplicity of signatures does not imply that they are 
easy to find. 

The secret that helps Alice solve the equation (1) is an integer 
(d,d) -matrix A which modulo n is invertible. If the transformation 
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x = As (mod n) transforms P into a polynomial x^ P ' (x 2 , . . . ,x^) = 

= P(s^,...,s^) (mod n) then Alice can easily solve equation (1). She 

picks random values x^, . . . , x, 6 TL , evaluates 

2 d n 

(2) x 1 : = m/P ' (x 2 , . . . ,x d ) (mod n) 
and transforms 

_1 

(3) s := A x (mod n) . 

So Alice can generate signatures of m by choosing random values 
x 2 ,...,x ( j and evaluating (2), (3) using a few modular multiplications 
and additions and one modular division. If P ' (x 2 , . . . ,x d > is not rela- 
tively prime to n then m/P 1 (x^,...^^) (mod n) may be not defined, but 
if all the factors of n are large Alice is unlikely to choose such values 

x 2' " ' * ,x d' 

The relationship between messages and signatures are summarized 

* 

in the following lemma. Let Z2 be the set of numbers in TL which are 

n n 

relatively prime to n. Note that 7L^ represents the set Z/n2Z of inte- 
gers modulo n, so 7L is a commutative ring under addition and multipli- 
n * 

cation modulo n and Z c a is the group of invertible elements. 

n n * 

LEMMA 1 For every m € 7L^ the set of signatures of m is in 1-1 
correspondence with the set of values (3) as x 2 ,...,x d range over ZS n 
and x, = m/P ' (x_ , . . . ,x ,) (mod n) . 

d-1 * 
PROOF For every (x 2 , . . . ,x d ) £ { TL^ ) with P ' (x 2 , . . . ,x d > £ ZZ n (2), 

(3) clearly define a signature s of hi. On the other hand for every sig- 
nature s = (s^,...,s^) there exists x := As (modn). We have 
P(s 1 , . . . ,s d ) = x^' (x 2 , . . . ,x d ) = m (mod n) , and P' (x 2 , . . . ,x d > £ 2Z n follows 

from the assumption m £ 7L . Since A is non singular only one value of 
d— 1 ^ 

(x 2 ,...,x d ) £ ( ZZ n ) can correspond to each signature. Q.E.D. 

REMARKS (i) By using independent random values x 2 ,...,x d » Alice 
can choose an arbitrary signature of m with uniform probability distri- 
bution, and is not restricted to signatures of some special form, 
(ii) If several messages m 1 are signed with the same x 2 ,...,x d then 
x 1 = (x^",...,x d ) and the signature s 1 are known for each message and A 
can be computed from the linear equations x 1 = As 1 (modn). Thus Alice 
must choose independent random values x 2 ,...,x d for each message. 

How does Alice generate her public key? She first chooses the mo- 
dulus n as a large composite number which is difficult to factor. By 
using a probabilistic primality testing algorithm on random integers 
with at least 300 bits, Alice can find after a few hundred tests two 
numbers p and q which are almost certainly primes. The product n of p 
and q is easy to compute, but even the fastest known factoring algo- 
rithm on the fastest available computer will take millions of years to 
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factor it. The generation of n can be done within a few hours on a typi- 
cal microcomputer. Such an overnight initialization is acceptable in 
most applications, but if the user cannot afford it, there is a faster 
alternative: If a trusted third party (the NBS?) computes n and then 
erases p and q, no one knows the factorization of n and thus everyone 
can use it as a standard modulus. 

In order to generate the polynomial P, Alice chooses a simple poly- 
nomial P 1 (x^ , . . . ,x^) with integer coefficients and then picks a random 
integer (d,d) -matrix A. Alice keeps A secret, transforms the polynomial 
x 1 P ' (Xj , • . . ,x d ) with x := As; (modn) into a polynomial P, P (s^ , . . . ,5^) = 
= x^ P ' (jtj , . . . fX^) (mod n) and publishes the coefficients of the trans- 
formed polynomial P. P is no longer linear in any of the variables. The 
equation P(s^,...,s^) = m (mod n) is apparently difficult. Alice also 
verifies that A is invertible modulo n. If the prime factors of n are 
large then singular matrices are unlikely to occur. It is important 
that Alice can generate P without knowing the factors of n. All the 
participants of the communication network may use the same simple poly- 
nomial P ' (Xj , - . . ,x^) and even the same modulus n (provided that the 
factors of n are unknown) and differ only in their choice of A. 

The security of the scheme requires to choose particular transfor- 
mation matrices A which cannot be easily computed from the coefficients 
of P and P'. We choose the polynomial P' and the matrix A so that re- 
covering A from the polynomials P and P' is as hard as factoring n. 
Since Alice is not restricted to signatures of some special form it is 
impossible to obtain information on the secret parameters, A and the 
factors of n by analysing her signatures. Also Alice herself may be un- 
aware of the factors of n. Since Bob cannot benefit from Alice's sig- 
natures and cannot use her method for solving equation (1), he must come 
up with an alternative way of solving this equation. So for each class 
of transformations A and for each polynomial P ' one must carefully ana- 
lyse whether equation (1) is sufficiently difficult for the correspon- 
ding polynomials P. 

The security of the scheme is based on the difficulty of factoring 
n. When the factors p and q of n are known the equation (1) can be solved 
efficiently. The probabilistic root finding algorithm of Rabin computes 
s', s" £2 d such that P ( s ' ) = m (mod p) and P(s") = m (mod q) . By the 
Chinese remainder theorem s ' and s" can be combined to a solution 
s = as' + is" (mod n) . Here a and t are integers 

,-1 (mod p) rO (mod p) 

satisfying 0 = 1 ' T = \ 

"■O (mod q) M (mod q) 
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The binary quadratic scheme: The simplest polynomial equation (1) 
appears for d = 2 , we transform the equation 

(5) ■ = ra (mod n) 

* 

using an arbitrary u e 7L^ by the linear substitution 

x^ := s.| + u 1 s 2 (mod n) 

2 —2 2 

This yields ■ x 2 = s 1 - u s 2 = m (mod n) . So the trivial equation (5) 
is transformed into the less trivial polynomial equation 

2 2 -2 

(6) s 1 + k = m (mod n) with k = -u (mod n) . 

The public key of the corresponding signature scheme consists of n and 

2 

k, and the private key is u. A pair (s^,s 2 ) £ (S^) is a valid signature 

for m if s^ + k s 2 = m (modn). Recovering the private key u from the 

public key k requires the computation of V-k (mod n) and thus is as 

hard as factoring n. 

Unfortunately this case of our signature concept is insecure due 

4 

to a recently discovered algorithm of Pollard which efficiently solves 

2 2 

quadratic equations s 1 + k s 2 = m (modn). Pollard's method does not 
solve general polynomial equations modulo n nor does it extend to sys- 
tems of polynomial equations . 



3. THE BINARY QUADRATIC SCHEME OVER ALGEBRAIC INTEGERS 

The binary quadratic scheme may still yield a good signature scheme 
if we replace rational integers x^ ,x_, , s^ ,s 2 ,m by algebraic integers 
X 1 ,X 2 ,S 1 ,S 2 ,M which range over the set 

TL , := {a+bv'd|a,b62Z , 0<a,b<n} . 
n , d — 

The set 7L , can play a similar role as the set TL of integers modulo n. 
n,d v 2 n 

There is a natural way of adding and multiplying elements in Z n ^: 

(a'+b'Vd) + (a"+b"y/d) :=a+b\/d 
with a := a' + a" (modn) , b := b' +b" (modn) 

(a' + b' \/d) (a" + b"\/d) = a + bv^ 

with a := a'a" + db'b" (mod n) , b := a'b" + a"b'(mod n) . 

So all arithmetic operations in S , are done modulo nffifv'd] and in 

n,d 

standard algebraic notation Z n d is the ring S[\/d3/n E[\/d]. An element 

— 2 2 * 

a + b'/d is invertible iff a - b d e 2Z^ , and in this case 

(a + bVd) " 1 = a' - b" Vn 
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with a' =a(a 2 -b 2 d) -1 (mod n) , b' = b (a 2 - b 2 d) 1 (mod n) . Let 
* 

TL - c a be the subgroup of invertible elements, 
n, a n , a 

LEMMA 2 With the above arithmetic operations Z2 , forms a commu- 

* * n,d 

tative ring with TL <=■ TL , , 7L <=■ TL , . 

n n,d n n,d 

In the sequel we let the variables X- ,X_ ,S. ,S_ ,M range over ZZ ,. 
For an arbitrary u £ 2Z n the substitution 

X.. := S - u~ 1 S, 

(7) 1 1 1 

X 2 := ♦ u S 2 

2 2 -2 

yields X^ 2 = S 1 + ks 2 with k : = -u (mod n) . So given u the equation 

(8) XX = M 

which can easily be solved for any M € 7L^ ^ , is equivalent to the less 
trivial equation 

(9) S 2 + kS 2 = M . 

This observation yields an efficient signature scheme. For key generation 

* -2 
Alice picks a random element u€ TL publishes k : = -u (mod n) , and 

keeps u secret. For any M Alice can easily solve the equation (9) . She 

* -1 

picks X 1 £ E n ^ at random, computes X 2 := MX 1 and inverts the linear 

substitution (7) 

5 1 := (X 2 + X^/2 

5 2 := (X 2 - X^u/2 . 

Once k is published. Bob (or anyone else) cannot compute u, and cannot 
follow the method of solving equation (9) that Alice is using. 

For convenience we write polynomial equations over 2Z n d as systems 



of polynomial 


equations 


over TL . Let 
n 








X. 
X 


= x . 1 + Vd x. 2 


i = 1 ,2 






s . 

X 


= S i1 + ^ S i2 


i = 1,2 






M 


= m^ + Vd m 2 




with x . . , s . . 
ID 13 


, m. £ 2 
x n 


The 


equation X^ • X 2 ; 


= M can be written as 


dO) 




x 11 


X 21 + dx 12 x 22 = 


(mod n) 






x 11 


x 22 + x 12 x 21 


m 2 (mod n) . 


The equation 


S 2 + k S 2 = 


M can be written as 




(11) 




2 

s n 


+ ds ?2 + kls 21 + 


2 

d S22' = m 1 ^ mo ^ n ' 




2 (s 


1 1 s 22 + k s 12 s 2l' = 


m 2 (mod n) . 



Elimination of s in the latter equation yields 
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= (n> 2 - 2k s 1 2 s 21 ) / (2 s 22 ) (mod n) 

Therefore the system of equations (11) is equivalent to the ternary, 

* 

quadric equation (12) provided that s 22 ez n : 

2 2 2 2 2 

(12) (m 2 -2ks 12 s 21 ) +4s 22 (ds 12 +k(s 2l +ds 22 )-m 1 ) =0 (mod n) . 

So this equation can be taken as verification condition for the binary 
quadratic signature scheme over ZZ n ^. 

The signature scheme based on equation (12) consists of the fol- 
lowing components : 
Key generation 

1. choose two random primes p,q so that p-q is difficult to factor, put 
n := p-q . 

2. pick random integers u,d which are relatively prime to n. 

-2 

3. publish k := -u (mod n) , d, n, and keep u secret. 

Messages are pairs (m 1 ,m 2 ) of integers in the range 0 < m 1 ,m 2 < n , i.e. 

m. ,m- £2-0. 

i / n 

Signature verification 

A triple ' s i 2 ' s 21 ' s 22 ' °^ integers in 7L^ is a valid signature for the 

message (m 1 ,m 2 ) if it satisfies the equation (12) 

2 2 2 2 2 

(m 2 ~2k s 12 s 21 ) +4s 22 (ds 12 + k(s 2l +ds 22 )-m 1 ) =0 (mod n) . 

This equation can easily be checked using k,d,n with 10 multiplications, 
4 additions/subtractions modulo n. We do not count the trivial multi- 
plication by 4 . 
Signature generation 

(We solve the easy system (10), and using the private key u we transform 
its solution into a solution of (12) by inverting the linear substitu- 
tion (7).) 

1. pick random elements x«,,x,_€ 7L so that 

2 2 1112 n 

x.j ^ - dx 12 is relatively prime to n. 

m 2 X 11 " m 1 x 12 , A . 

2. x 22 := 2 =j — (mod n) , 

x 11 " dx 12 

(m 1 X 11 - dm 2 X 22 » . „ 4 

3. x 2 ^ := ^ 2~ (mod n) 

x 11 " dx 12 

4. s 12 := (x 22 + x 12 )/2 (mod n) 

s 21 := ' x 21 ~ X 1 1 ' U//2 ' mod n ' 



s 22 



(x 22 - x 12 ) u/2 (mod n) 

LEMMA 3 Signature generation can be done with 9 multiplications, 
1 division modulo n. (The division by 2 is trivial) . 
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2 2 

PROOF Compute x^, d x i 2 ' dx 12' dm 2 X 12 With only 4 multi P lica ~ 
tions modulo n. Obviously the rest of the computation can be done with 
5 multiplications and 1 division modulo n. Q.E.D. 

For a message (m.j,m 2 ) let M := m^ + m 2 Vd be the corresponding ele- 

2 2 * * 
ment in S , , obviously in, - d m,. £ 2Z iff M £ ZS . . For messages (m, ,m.) 

n,d 1 2 n n,d 3 12 

2 2 * 

with m^ - d m 2 £ Z3 n the above signature procedure generates arbitrary 

signatures of (m 1 ,m ? ) with uniform probability distribution. 

LEMMA 4 For every message (m. ,m.) with m. +m_.\/S£2Z , the set of 
I 2 12 n,d 

signatures of (mwm,) is in 1-1 correspondence with the set of values 
' s 12' s 21 ,s 22' in ste P 4 ' as x -] 1 +x i2 V ' d ran 9 es over E n d • 

PROOF The set of signatures of (m^m^) is in 1-1 correspondence 

2 2 

to the set of solutions (S^Sj) of S 1 + k S 2 = M . By the linear trans- 
formation (7) the set of solutions (S^S^ of S 2 + k S 2 = M is in 1-1 

correspondence to the set of solutions (X.,X_,) of X., • X_ = M. Since 
* 1 2 1 2 

M£ E these solutions are in 1-1 correspondence with the set of ele- 

, * - * 2 2 

ments X. £ Z2 (remember that X. = x., +x 1 .v'd£2Z , iff xT. -dx:. is 

1 n, a 1 it 12 n,d 11 12 

relatively prime to n) . Q.E.D. 

2 2 

As a consequence of Lemma 4 messages (m 1 ,m.,) for which m 1 - d 

is not relatively prime to n should be avoided. We have excluded messages 

with m 1 =0 or m_ = O anyway, see remark 7 (iv) , (v) . No other message 
2 2 

(m 1 ,m 2 ) with gcd(m 1 -dm 2 ,n) * 1,n is likely to occur. 

REMARKS 5 The characteristical properties of the original binary 

quadratic OSS-scheme remain intact: i) The generation of the keys 
2 

u, k := -u (mod n) , d can be done without knowing the factorization 
of n. All public keys may share the (d,n)-part provided that the facto- 
rization of n is unknown to all participants of the system, ii) Computing 
the private key u from the public key k,n requires to compute \/-k (modn), 
and thus is as hard as factoring n. iii) The signature scheme is multi- 
plicative over TL Solutions S' , s' and s" , s" of 
n,a I 2 I 2 

s^ 2 + k s 2 ' 2 = m' , s^' 2 + k s 2 2 = m" 

yield a solution S 1 , S 2 of S 2 + k S 2 = m'm" as 

S 1 = S ] S i' " kS 2 S 2 ' S 2 = S 1 S i' - kS 2 S 2 

2 2 

iv) The roles of k,M in the equation S 1 + k S 0 = M can be interchanged 

2 2 7 ^ -? 
since S 1 + k S 2 = M is equivalent to (S^S^ - M S 2 = -k . 

With these remarks the following theorem can be proved in the same 
way as its counterpart in [3]. 

THEOREM 6 Any algorithm for computing u from random signatures 
of messages of its choice can be transformed into a probabilistic facto- 
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ring algorithm with similar complexity. 
PROOF see proof of theorem 2 [ 3 ] . 

REMARKS 7 i) The theorem can easily be extended to the case of an 
algorithm that succeeds for only some of the u-values provided that the 
fraction of these u-values is non negligible-, ii) In Rabin's signature 
scheme an opponent can factor n by analysing the signature of specific 
messages. In our scheme the factorization of n and the secret parameter 
u cannot be revealed by chosen message attacks, iii) If Bob could com- 
pute one of the x^_.-values i,j £ {0,1} corresponding to a signature 
s^j i/j £ {0,1}, he could compute u. For instance given x^ , s^ and s 2 1 ' 
Bob can compute u from x^ ^ = s^ -u 1 s 21 (modn). A single x^ ..-value 
is thus as hard to compute as u. iv) Messages (m^nij) with - 0 can be 
signed without the private key u. It is sufficient to solve 

2 2 
s^ + k = m^ (mod n) 

by Pollard's algorithm [4]. v) Messages (m^ir^) with m 1 = 0 can also be 
signed without the private key u. This easily follows from (iii) and 
the multiplicativity of the scheme (remark 5, iii) . 



THE COMPLEXITY OF SOLVING ST + k S7 = M over S , 

1 2 n,d 

2 2 

Pollard [4] solves the equation s 1 + k s 2 = m (mod n) by successive- 
ly reducing m and k. He reduces m to m' <.Vk, interchanges m and k, and 
continues until both m and k are 1 . His basic reduction step uses the 
euclidean algorithm over ZZ . 

2 2 — 

Pollard's method does not solve S 1 + k S 2 = M since ZZtv'd] is not 

euclidean domain provided that d > 73 or d<-11. In particular there 

exist A, Beztv'd] such that |N(A-C-B)I > IN (B) I for all C€E[\/d], 

— 2 2 

(where N is the norm, N(x + v'dy) = x -dy ). It is unlikely that the 

missing euclidean algorithm for Z2[\/d] can be replaced by some other 

norm reducing procedure. For large Idl almost all elements A£Z[Vd]with 

IN (A) I << d are rational integers and these are unlikely to appear in 

a general procedure over 2[v'd]. 

2 2 

The methods for solving + k s^ = m (mod n) which use the class 

group of quadratic form with discriminant -4k, see [3], do not solve 
2 2 

+ k S 2 = M. The reason is that equivalence classes of quadratic forms 
with coefficients in 7L IVd] cannot be represented in a canonical way by 
reduced forms . 

2 2 

The fastest known method for solving + kS^ = M is by factoring n. 
This method becomes infeasible if n is at least 600 bits long. 

The complexity of solving general polynomial equations modulo n is 
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an open problem and it may become an important subject for further 
cryptographic research. 
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IDENTITY-BASED CRYPTOSYSTEMS AND SIGNATURE SCHEMES 



Adi Shamir 

Department of Applied Mathematics 
The Weizmann Institute of Science 
Rehovot, 76100 Israel 

THE IDEA 

In this paper we introduce a novel type of cryptographic scheme, 
which enables any pair of users to communicate securely and to verify 
each other's signatures without exchanging private or public keys, with- 
out keeping key directories, and without using the services of a third 
party. The scheme assumes the existence of trusted key generation cen- 
ters, whose sole purpose is to give each user a personalized smart card 
when he first joins the network. The information embedded in this card 
enables the user to sign and encrypt the messages he sends and to decrypt 
and verify the messages he receives in a totally independent way, regard- 
less of the identity of the other party. Previously issued cards do 
not have to be updated when new users join the network, and the various 
centers do not have to coordinate their activities or even to keep a 
user list. The centers can be closed after all the cards are issued, 
and the network can continue to function in a completely decentralized 
way for an indefinite period. 

The scheme is ideal for closed groups of users such as the execu- 
tives of a multinational company or the branches of a large bank, since 
the headquarters of the corporation can serve as a key generation cen- 
ter that everyone trusts. The scheme remains practical even on a nation- 
wide scale with hundreds of key generation centers and millions of users, 
and it can be the basis for a new type of personal identification card 
with which everyone can electronically sign checks, credit card slips, 
legal documents, and electronic mail. 

The scheme is based on a public key cryptosystem with an extra 
twist: Instead of generating a random pair of public/secret keys and 
publishing one of these keys, the user chooses his name and network ad- 
dress as his public key. Any combination of name, social security num- 
ber, street address, office number or telephone number can be used (de- 
pending on the context) provided that it uniquely identifies the user 
in a way he cannot later deny, and that it is readily available to the 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 47-53, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 



48 



other party. The corresponding secret key is computed by a key genera- 
tion center and issued to the user in the form of smart card when he 
first joins the network. The card contains a microprocessor, an I/O 
port, a RAM, a ROM with the secret key, and programs for message en- 
cryption/decryption an<_ signature generation/verification. 

An identity-based scheme resembles an ideal mail system: If you 
know somebody's name and address you can send him messages that only he 
can read, and you can verify the signatures that only he could have 
produced. It makes the cryptographic aspects of the communication al- 
most transparent to the user, and it can be used effectively even by 
laymen who know nothing about keys or protocols. 

When user A wants to send a message to user B, he signs it with 
the secret key in his smart card, encrypts the result by using B's name 
and network address, adds his own name and network address to the mes- 
sage, and sends it to B. When B receives the message, he decrypts it 
using the secret key in his smart card, and then verifies the signature 
by using the sender's name and network address as a verification key. 

The secret keys must be computed by a key generation center rather 
than by the users, since there is nothing special about a user's iden- 
tity: If user A could compute the secret key that corresponds to the 
public key "A" , he could also compute the secret keys that correspond 
to the public keys "B", "C", etc., and the scheme would not be secure. 
The key generation center can be in a privileged position by knowing 
some secret information (such as the factorization of a large number) 
which enables it to compute the secret keys of all the users in the 
network. 

The overall security of the scheme depends on the following points: 
(a) The security of the underlying cryptographic functions, (b) The se- 
crecy of the priveieged information stored at the key generation centers, 
(c) The thoroughness of the identity checks performed by the centers be- 
fore they issue cards to users, (d) The precautions taken by users to 
prevent the loss, duplication, or unauthorized use of their cards. 

The cryptographic scheme effectively ties the message with the iden- 
tification information i, and the ownership of the card effectively ties 
i with the physical user. Like any other agency that issues ID cards, 
the center must carefully screen requests for cards to prevent misrepre- 
sentations, and must carefully protect its "stamps" to prevent forgeries. 
Users can protect themselves against unauthorized use of their cards via 
a password system or by memorizing part of the key. 

The differences between private-key, public-key, and identity-based 
cryptosystems are summarized in Fig. 1. In all these schemes, the mes- 
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sage m is encrypted under key ke, transmitted as ciphertext c through 
the exposed channel, and decrypted under key kd. The choice of keys 
is based on a truly random seed k. In private-key schemes, ke = kd = k, 
and the separate key channel (which is usually a courier) must preserve 
both the secrecy and the authenticity of the key. In public-key schemes, 
the encryption and decryption keys are derived from k via two different 
functions ke = fe(k) and kd = fd(k), and the separate key channel (which 
is usually a directory) must preserve only the authenticity of the key. 
In identity-based schemes, the encryption key is the user's identity 
ke = i, and the decryption key is derived from i and k via kd = f(i,k). 
The separate key channel between the users is completely eliminated, 
and is replaced by a single interaction with the key generation center 
when the recipient first joins the network. 

Public-key and identity-based signature schemes are mirror images 
of the corresponding cryptosystems , as depicted in Fig. 2. The message 
m is signed with the signature generation key kg, tranmitted along with 
its signature s and sender identity i, and verified with the signature 
verification key kv. The rest of the diagram should be self-evident. 

THE IMPLEMENTATION 

To implement the idea described in the previous section, we need 
a public-key scheme with two additional properties: (a) When the seed 
k is known, secret keys can be easily computed for a non-negligible 
fraction of the possible public keys. (b) The problem of computing the 
seed k from specific public/secret key pairs generated with this k is 
intractable. 

Unfortunately, the RSA scheme cannot be used in a way that satis- 
fies these conditions simultaneously: (a) If the modulus n is a pseudo- 
random function of the user's identity, even the key generation center 
cannot factor this n and cannot compute the decryption exponent d from 
the encryption exponent e. (b) If the modulus n is universal and the 
seed is its secret factorization, then anyone who knows an encryption 
exponent e and its corresponding decryption exponent d can compute the 
seed. 

At this stage we have concrete implementation proposals only for 
identity-based signature schemes, but we conjecture that identity-based 
cryptosystems exist as well and we encourage the reader to look for such 
systems. This situation is reminiscent of the 1976 period, when public 
key cryptosystems were defined and their potential applications were 
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investigated even though the first concrete implementations were pub- 
lished only in 1978. 

The signature scheme is based on the verification condition 

e . ,f(t,m) , , , 
s = i-t (mod n) 

where 

- m is the message 

- s,t is the signature 

i is the user's identity 

n is the product of two large primes 

e is a large prime which is relatively prime to ip(n) 

f is a one way function. 

The parameters n,e and the function f are chosen by the key gener- 
ation center, and all the users have the same n,e and the same algorith- 
mic description of f stored in their smart cards. These values can be 
made public, but the factorization of n should be known only to the 
key generation center. The only difference between users is the value 
of i, and the secret key which corresponds to i is the (unique) number 
g such that 

g e = i (mod n) . 

This g can be easily computed by the key generation center, but if the 
RSA scheme is secure no one else can extract e-th roots mod n. 

Each message m has a large number of possible (s,t) signatures, 
but their density is so low that a random search is extremely unlikely 
to discover any one of them. Any attempt to set one of (s,t) to a ran- 
dom value and solve for the other variable requires the extraction of 
modular roots, which is believed to be an exceedingly difficult compu- 
tational task. However, when g is known, there is a very simple way 
to generate any number of signatures of any message even when the fac- 
torization of n is unknown. 

To sign the message m, the user chooses a random number r and com- 
putes 

Q 

t = r (mod n) . 

The verification condition can be rewritten as 

e e ef(t,m) , , 
s = g • r (mod n) . 

Since e is relatively prime to ip(n) , we can eliminate the common factor 
e from the exponents 
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and thus s can be computed without any root extraction. 

To prevent attacks based on multiplicative relationships between 
the identities (and thus also the g values) of different users, it is 
advisable to expand the string that describes the user's identity into 
a long pseudo-random spring via a universal one way function, and use 
the expanded form as i in the verification condition. Since everyone 
in thenetwork knows how to apply this function, the scheme retains its 
identity-based flavour even though the signature verification key is 
not strictly equal to the user's identity. 

The security of the scheme depends on the inability of the crypt- 
analyst to isolate g by analysing a large number of valid signatures 
of messages of his choice. If the gcd of f and e is c J- 1, it is pos- 
sible to extract the c-th root of i by manipulating the verification 
condition, and thus it is essential to make e a sufficiently large prime 
and f a sufficiently strong one way function so that this case will ne- 
ver arise in practice. The value of r should never be reused or re- 
vealed, since g is protected in any concrete signature by its random- 
ness and secrecy. 

The variants of the verification condition in which one of the two 
occurrences of t is eliminated (e.g. , by replacing it with a constant) 
are insecure. It is thus important to use a one way function that mixes 
t and m thoroughly (preferably via non-arithmetic and non-invertible 
operations) and which has a large range of possible values. 

We believe that with a proper choice of parameters this scheme can 
be made very secure, but we cannot prove that breaking it is equivalent 
to solving some well known computational problem. Its main purpose is 
didactic, to serve as the first existence proof for identity based 
schemes. The Ong-Schnorr-Shamir signature scheme (described elsewhere 
in these proceedings) can also be used as an identity-based scheme, but 
its security is still an open problem in light of Pollard's successful 
attacks against its earlier verisons. As always, we do not recommend 
to use this scheme right away, before the cryptographic community had 
ample time to assess its security. 
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A Knapsack Type Public Key Cryptosystem 
Based On Arithmetic in Finite Fields 



(preliminary draft) 

Benny Chor Ronald L. Rivest 
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Abstract— We introduce a new knapsack type public key cryptosystem. The system is based on 
a novel application of arithmetic in finite fields, following a construction by Bose and Chowla. 
Appropriately choosing the parameters, we can control the density of the resulting knapsack. In 
particular, the density can be made high enough to foil "low density" attacks against our system. 
At the moment, we do not know of any attacks capable of "breaking" this system in a reasonable 
amount of time. 



1. INTRODUCTION 

In 1976, Diffie and Hellman [7] introduced the idea of public key cryptography, in which 
two different keys are used: one for encryption, and one for decryption. Each user keeps his 
decryption key secret, while making the encryption key public, so it can be used by everyone 
wishing to send messages to him. A few months later, the first two implementation of public key 
cryptosystems were discovered: The Merkle-Hellman scheme [13] and the Rivest-Shamir-Adelman 
scheme [17]. Some more PKC have been proposed since that time. Most of them can be put into 
two categories 1 : 

a. PKC based on hard number-theoretic problems ([17],[16],[8]). 

b. PKC related to the knapsack problem ([13], [2]). 

While no efficient attacks against number theoretic PKC are known, some knapsack type PKC 

* Research supported by NSF grant MCS-8006938. Part of this research was done while the first author was 
visiting Bell Laboratories, Murray Hill, NJ. 

'•with the exception of McEliecc system [12], which is based on error correcting codes 
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were shown to be insecure. Most of those systems have a concealed "superincreasing" sequence. 
Shamir made the first successful attack on the basic Merkle-Hellman system (see [19]). Following 
his attack, other attacks against more complicated systems were proposed. The strongest of 
these seems to be the "low density" attack of Lagarias and Odlyzko [11]. The most interesting 
point about this last attack is that it does not make any assumption about how the system 
was constructed, and thus might be applicable to any knapsack type cryptosystem (unlike, say, 
Shamir's attack which relies heavily on the superincreasing underlying sequence). As a result of 
these attacks, knapsack type PKC which are either based on superincreasing sequences or have 
very low density seem to be vulnerable. 

In this paper, we propose a new knapsack type PKC which has high density and a completely 
different basis. The underlying construction makes use of a result due to Bose and Chowla [1] 
about unique representation of sums in "dense" finite sequences. To implement this construc- 
tion requires taking discrete logarithms in finite fields, for creating the encryption-decryption 
keys. Once this is done, encryption is very fast (linear time) and decryption is reasonably fast 
(comparable to RSA). Hence creating the keys is the hard part. While there are no polyno- 
mial time algorithms known for taking discrete logarithms, there are practical algorithms (most 
notably the ones due to Pohlig and Hellman [15] and Coppersmith [5]) in some special cases. We 
can demonstrate the existence of such special cases which would both yield reasonable size keys 
to foil the low density and exhaustive search attacks, and do so in reasonable amount of time (a 
few hours on a minicomputer, which is not too bad since keys are created only once per user). 
It should also be noticed that all known number theoretic PKC are at most as hard as factoring 
and hence are all reducible to the problem of taking discrete logarithms in composite moduli 
(see appendix 1). Should this discrete logarithm problem become tractable (thus rendering all 
"number-theoretic" PKC insecure), our system will become easier to create for even larger size 
knapsacks. 

The remainder of this paper is organized as follows: In section 2 we discuss the knapsack 
problem and its use in cryptosystems. Section 3 describes Bose-Chowla theorem and its proof. 
In section 4 we give the details of our new cryptosystem. In section 5 the system performence 
is examined, and section 6 describes the actual parameters for implementing our PKC. Finally, 
some possible attacks against the new system are analyzed in section 7. 

2. KNAPSACK- TYPE CRYPTOSYSTEMS 

The 0 — 1 knapsack problem is the following NP-complete decision problem: Given a set 
A = { a,- | 0 < t < n — 1 } of non-negative integers and a non-negative integer 5, is there 
an integer solution to J2 x * a i = S where all z, are 0 or 1. A different variant of the problem is 
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to remove the 0—1 restriction on the x,- (but insisting they remain non-negative integers) and 
bounding their total weight £ x * 

Knapsack type public-key cryptosystems are based on the intractability of finding a solution to 
5=2 ltd,- even when a solution is known to exist. In such systems, each user publishes a set 
A of a,- and a bound h. A plaintext message consisting of an integer vector M = (xq, ii, . . ■, x n _i) 
with weight < h is encrypted by setting 

The knapsack elements a,- are chosen in such way that the equation is easily solved if certain 
secret trapdoor information is known. The exact nature of this information depends on the 
particular system in question. A general property of knapsack type PKC is that encryption is 
easy - all you have to do is to add. 

3. BOSE-CHOWLA THEOREM 

In 1936, Sidon raised the question of whether there exist "dense" sequences whose k-fold sums 
are unique. Given n and h, non-negative integers, is there a sequence A = {<Zj | 0 < t < 
n — 1 } of non-negative integers, such that all sums of exactly h elements (repetitions allowed) 
out of A are distinct 1 ! It is easy to construct such sequences if the a,- are growing exponentially 
in n: For example, the sequence { 1, h, k 2 , . . ., h n ~ l } has the above property (but does not work 
even for h + 1 element sums, since h 2 + h • 1 = [h + 1) • h). But can one construct such sequence 
with the o,- growing only polynomially fast in n? Bose and Chowla [1] found a very elegant way 
of constructing such sequences with 1 < a» < n k — 1 (see [9,ch.2] for an overview of the subject). 
Here, we'll present a slightly modified version of Bose-Chowla theorem, which will fit well our 
cryptographic application. 

Bose-Chowla Theorem Let p be a prime, h > 2 an integer. Then there exists a sequence 
A= { 0<i<p— l}o/ integers such that 
l.l< ai <p h -l (t = 0,l p-1). 

Z. If (xoi Zij . • -x p _i) and (l/o, yi, • • -y P -i) are two distinct vectors with non-negative integral 
coordinates and Y£=o x i, EfZo Vi < h r then Ef=o T i a < E<Zo V< a <- 

Proof: The construction takes place in GF[p) and its h-degree extension, GF(p h ). Let t 6 GF(p h ) 
be algebraic of degree h over GF{p) { i.e. the minimal polynomial in GF(p)[x] having t as its 
root is of degree h ). Let g be a multiplicative generator ( primitive element ) of GF(p >l ). Look 
at an additive shift by t of the base field, GF(p), namely at the set t + GF(p){ t + i | » = 
0,1,...,?- 1} C GF{p h ). 
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Let di = log g (t + t) (i = 0, 1. . ., p - 1) the logarithm of t + i to the base g in GF[p h ). Then the 
Oi are all in the interval [l,p h — l] and they satisfy the distinctness of h-fold sums: For suppose 
there are two vectors x, y with 

(x 0 , xi,.. .Xp_i) 7^ (y 0 , 2/i, . . .t/p_i) , 
p—i p-i p-i p-i 

H z ' > 53 y » - h ' and S x, ' a * = X) f« o< ■ 

t=0 i=0 i=0 i=0 

Ep-i rij-i 
_ „ i-o 1 *" 4 = s 2 J< _.w*< 

p-i p-i 

and so n(9 a ') i,= 11^)^- 

Since g ai = t + i, we get 

[t + n) 11 (t + i 2 ) x \ . .(t + it)*' = (t + y,)»«(t + J2)"'. . .(t + j fc )» , 

where { ti, »2, . . } and {ii,j2, . . } are two different non-empty sets of elements from 
{ 0, 1, . . ., p — 1 }, with at most h elements each. Therefore, both sides of the last equation are 
monic distinct polynomials of degree < h with coefficients in GF(p), so we can subtract them 
and get: 

t is a root of a non-zero polynomial, with coefficients in CF(p), of degree < h — 1. 
This contradicts the fact that t is algebraic of degree h over GF{p). | 

Remarks: 

1. From the above proof it is clear that / sums [I < h) ot A are distinct not only over Z, but also 
modulo p h — 1. 

2. The requirement "p is a prime" can be replaced by "p is a prime power" with no change in 
the claim or its proof. 

4. THE NEW CRYYPTOSYSTEM 

In this section we describe how the new cryptosystem is created and used. We start with 
an informal (and slightly simplified) description. Next, a step-by-step recipe for generating the 
cryptosystem, encrypting messages and decrypting cyphertexts is given. 

The first step is to pick p and h such that GF(p h ) is amenable for discrete logarithm 
computations. We leave p and h as unspecified parameters in this section, and elaborate more on 
their exact choice in section 7 (the approximate magnitudes will be p as 200, h « 25). Once p and 
h are chosen, we pick t G GF(p k ) of algebraic degree h over the base field, and a primitive element 
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g 6 GF[p h ) (both f and g are picked at random from the many possible candidates). Following 
Bose and Chowla, logarithms (to base g) of the p elements in GF{p) + t are computed. These p 
integers are then scrambled, using a randomly chosen permutation. The scrambled integers are 
published. Together with p and h, they constitute the public, key. 

In order to encrypt a binary message of length p and weight h, a user adds the knapsack 
elements with 1 in the corresponding message location, and sends the sum. Section 6 deals with 
the question of transforming "regular", unconstrained binary strings to those of the above form. 

When the legitimate receiver gets a sum, he first raises the generator g to it, and expresses 
the result as a degree h polynomial in t over GF(p). The h roots of this polynomial are found 
by successive substitutions. Applying the inverse of the original permutation, the indices of the 
plaintext having the bit 1 are recovered. 

a. System Generation 

1. Let p be a prime power, h < p an integer such that discrete logarithms in GF(p h ) can be 
efficiently computed. 

2. Pick f G GF(p h ) - t algebraic of degree h over GF(p) at random. This will be done by finding 
/(f), a random irreducible monic polynomial of degree h in GF[p){t], and representing GF(p k ) 
arithmetic by GF{p)[t}/ < /(f) > ( where < /(f) > is the ideal generated by /(<)). 

3. Pick g G GF(p h ), g a multiplicative generator of GF(p K ) at random. 

4. Construction following Bose-Chowla theorem: Compute a» = log (<+t) for i — 0, 1, 2, . . .,p— 1. 

5. Scramble the a,'s: Let s : {0, 1, . . ., p— 1} -+ {0, 1,..., p— 1} be a randomly chosen permutation. 
Set bi = a w (i). 

6. Add some noise: Pick 0 < d < p k — 2 at random. Set = &, + c. 

7. Public key - to be published: cq, c\,..., c p _i; p, h. 

8. Private key - to be kept secret: t, g, 7r, d. 

Note: Every user will have the same p and h. The probability of collisions (two users having the 
same keys) is negligible. 

b. Encryption 

To encrypt a binary message M of length p and weight (number of l's) exactly h, add the c,'s 
whose corresponding bit is 1. Send 

E{M) = Ci, + c is + . . . + c ih (mod p h - 1) . 



c. Decryption 
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0. Let r(i) = t h mod /(f), a polynomial of degree < h- 1 (computed once at system generation). 

1. Given « = E[M), compute s' = s - hd (mod p h - 1). 

2. Compute p(f) = g' mod f(t), a polynomial of degree h - 1 in the formal variable t. 

3. Add t h - r[t) to p[t) to get d(t) = t h + p{t) - r(t), a polynomial of degree h in GF{p)[t\. 

4. We now have 

d[t) = {t + i l )-{t + i 2 )...{t + i h ) 

namely d(t) factors to linear terms over GF(p). By successive substitutaions, we find the h roots 
i/s (at most p substitutions needed). Apply 7r -1 to recover the coordinates of the original M 
having the bit 1. 

5. SYSTEM PERFORMENCE: TIME, SPACE AND INFORMATION RATE 

In this section we analyze three basic parameters of the cryptosystem: The time needed for 
encrypting and decrypting a message, the size of the keys, and the information rate in terms of 
cleartext bits per ciphertext bits. 

Given a binary message length p and weight h, encrypting it amounts to adding h integers 
Cj, each smaller than p h . The run time for decryption is much longer. It is dominated by the 
modular exponentiation: To raise a polynomial g to a power in the range [l,p h — l] takes at most 
2fclogp modular multiplications. The modulus is f[t], a polynomial of degree h, with coefficients 
in GF{p). Using the naive polynomial multiplication algorithm, 2h 2 operations (in GF(p) ) per 
modular multiplication will suffice. So overall, 4h 3 log p operations in GF(p) are required. For the 
proposed parameters p as 200, h as 25 this gives about 500,000 GF(p) operations, and compares 
favorably with RSA encryption-decryption time. 

The size of the keys, and especially of the public key, is an important factor in the design of 
any public key system. In such system, a directory containing all public keys should be maintained 
such that each entry is easily accessible by every user. In our system, the size of the public key 
is that of p numbers, each in the range [l,p h — lj. In terms of bits, this is plog 2 p fc = ph\og 2 P 
bits. For p as 200, h as 25, the key takes less than 40,000 bits. While this number is about 35 
times larger than the currently proposed size for the RSA public key (600 bits for the modulus 
and 600 for the exponent), it is still within practical bounds. 

The information rate R of a block code is defined as R = log; j J A/ l , where \M\ is the size of 
the message space, and N is the number of bits in a ciphertext. Letting M range over all binary 
vectors of length p and weight h, \M\ = (J). N = hg 2 p h , so the information rate is 

\ogp h 
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For the proposed parameters p = 197, h = 24, R — 0.556 (data expansion 1.798). 

6. PROPOSED PARAMETERS 

As mentioned before, the main obstacle in implementing our cryptosystem is the computation 
of discrete logarithms in large finite fields GF{p h ). This computational problem is considered 
quite hard in general. However, the algorithms of Coppersmith [5] and Pohlig and Hellman [15] 
work well in practice for some special cases. Coppersmith algorithm is appropriate for fields 
of small characteristic, and performs best in characteristic 2. Letting p h = 2 n , the run time 

Ol i/nlog 2 n) 

of the algorithm is e v /. For n < 200, implementation of Coppersmith algorithm will 

terminate in a few hours on a mainframe computer. Pohlig-Hellman algorithm works for any 
characteristic, provided p h — 1 has only small prime factors. It turns out that Pohlig-Hellman 
algorithm is preferable for our specific application, due to two properties: Tht simplicity of the 
algorithm, and the nice factorization of several numbers p K - 1 of appropriate magnitude. 

The Pohlig-Hellman algorithm has a T ■ S (time'space) complexity proportional to the largest 
factor of p K — 1. While in general numbers whose order of magnitude is «s 20 0 25 do not have 
'small' largest factors (the expected size of the largest factor of a number m is about m 0-8 ), things 
are much better when the number has the form x h — 1, since we can first factor this expression 
as a polynomial in x, and then factor each term as a number after substituting x *— p. rVs with 
"good" factorization are especially effective. For example, i 24 — 1 has the factors x a — x* + 1, 
i 4 — i 2 + 1, z 4 + 1, and other terms of degree not exceeding 2. Substituting p = 197, the largest 
prime factor of 197 24 - 1 is 10,316,017 f« 10 7 . The square root of this is 3-10 3 , so Pohlig-Hellman 
algorithm can easily be implemented on a minicomputer within a few CPU hours for all the 197 
logarithms. 

Other possible values are (the last two values are from [4]): 

• p = 211, h = 24 (largest prime factor of 211 24 - 1 is 216,330,241 « 2 • 10 s ) 

. p = 256 = 2 8 , h == 25 (largest prime factor of 2 200 - 1 is 3,173,389,601 « 3 • 10 9 ). This 
candidate has the advantage of using binary arithmetic for decryption calculations. 

• p = 243 = 3 5 , h = 24 (largest prime factor of 3 120 - 1 is 47,763,361 « 5 • 10 7 ). 

7. POSSIBLE ATTACKS 

In this section we examine some possible attacks on the cryptosystem. We start with attacks 
where part of the secret key is known to the cryptanalyst and he is trying to reconstruct the 
rest of it. We proceed by considering low density and brute force attacks with no prior secret 
information, where the goal is not to reconstruct the secret key but rather to decipher a given 
ciphertext. 
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a. Known g and d. 

Let t' — g c °, then t - f 6 GF[p), so the sets {t + i\i £ GF(p}} and {if + i\i e GF{p)} are 
identical. Therefore, by using t', the cryptanalyst can determine ?r and has all needed information 
for decryption. 

b. Known t and d. 

Pick arbitrary generator </. Compute a\ = log g ,(t + 1) . As sets, we have 

{a 0 ,ai,...,a p _i } = L{a' 0 ,a' v .. ..o^ } 

where equality is modulo p h — 1 and - 1 are relatively prime, L satisfying g = g' L . Once L 
is recovered, we are done, for then g = g' L % and we can reconstruct ir and have all the pieces of 
the private key. 

If one of the a\ (a' 0 , say) is relatively prime 1 to p h — 1, then L is one of ayo' 0 -1 (mod p h — 1) , 
for some 0 < j < p — 1. Otherwise, the cryptanalyst can compute L modulo each of the prime 
power factors of p h — 1 (which are all small and therefore easy to find, by the choice of p and h), 
and then combine them together using the Chinese remainder theorem. 

c. Known permutation 7r and d (attack due to Andrew Odlyiko). 

Since the knapsack is dense, there are small integral coefficients z,- (some of which may be 
negative) such that 

p-i 

^2 XiOi = 0 

»=0 

(for details see [14]). Furthermore, the LLL algorithm can find these z<'s. The last equality 
implies 

i.e. 

The left hand side of the last equality is a rational function of i, and g (which is still unknown) 
is not a part of it. If mi = [IC 1 ^! ( m 2 — |S x t\) denotes the sum of positive (negative) x,-'s, 
and m = max (mi , m 2 ), then we get a polynomial equation of degree m — 1 in t, with coefficients 
from GF(p). All roots (in GF(p h ) ) of this polynomial can be found using a fast probabilistic 
algorithm, t is necessarily one of these roots, so attack (b) can now be used. 

'this means that one of the t~i is itself a multiplicative generator of GF{p h ), and will happen with high probability. 
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Remark: If n is not known, this attack does not seem to work since, even though the a;,- can be 
found, they give rise to an 'unknown' polynomial. If mi + is very small then one can try all 
(m,+mj) possibilities even without knowing x. However, with ir unknown and m\ + m 2 exceeding 
10, this approach becomes infeasible. 

d. Low density attacks 

Brickel [3] and independently Lagarias and Odlyzko [11] introduced "general purpose" algo- 
rithms which can be expected to recover successfully the added elements of any "low density" 
knapsack system. In this subsection we briefly describe the second method, and examine its 
success when applied to our system. 

The density d[A) of a knapsack system A = { aj| 0 < t < p — 1 }, is defined to be 



log 2 (max a,) 

Given a knapsack system A — {a, | 0 < i < p — 1} and a sum instance (ciphertext) S = 
YliZo I t°ti Lagarias and Odlyzko construct ap+1 dimensional lattice. The lattice construction 
uses the p knapsack elements and the given ciphertext. A certain vector in this' lattice (which 
we call here the special vector) is defined. This vector corresponds to the solution of the given 
ciphertext (yields the coefficients x,- in the sum), and the goal of the cryptanalyst is to find it. 
Lagarias and Odlyzko have shown that if d[A) is low, this special vector is the shortest one in 
the lattice. 

Using the last observation, what Lagarias and Odlyzko are trying to do is to find the shortest 
vactor in the lattice. The tool they use is the basis reduction algorithm of Lenstra, Lenstra and 
Lovasz. While this algorithm usually succeeds if the shortest vector in the lattice is much shorter 
than all other vectors, it does not do so well if the shortest vector is relatively close in length to 
other vectors. 

In our specific case, the knapsack has high density. The length (square of Euclidean norm) 
of the specific vector will not be much shorter than the length of many other vectors (24 vs. 40 
for p = 197, h = 24), and so the LLL algorithm cannot be expected to find it. Experiments, 
done by Andrew Odlyzko, on a smaller knapsack created by us (p = 103, h = 12, a system with 
density 1.271,where the calculations imply that all vectors other than the specific one have length 
at least 17, but the LLL algorithm did not find the specific vector even when its length was only 
5), support this claim. So, for Lagarias-Odlyzko attack to be successful against our system, it 
must use a better shortest vector algorithm. Currently, the best (exact) shortest vector algorithm 
known is the one of Kanaan [10], and its performance is no better, in our application, than the 
brute force attack sketched in the next subsection. 



63 

We wish to remark that it is possible to make the specific vector which solves a given ciphertext 
longer, by reducing the information rate of the system, without changing its density (details 
are left to the full paper). In this case, no shortest vector algorithm will find this vector. 
However, with the current state of shortest vector algorithm, it looks like such modification to 
the cryptosystem is not required. 

e. Brute force attacks. 

The most efficient method we know of for solving knapsack instances with h out of p items, 
given a specific ciphertext, is the following: There are (J) ways of choosing h out of p elements. 
Take a random subset 5 containing p/2 elements. The probability that a given sum contains 
exactly h/2 out of these p/2 elements is 

_L 

CD ~Vh' 

Assuming that this is indeed the case, we generate all h/2 sums of S and of its complement, and 
sort them. The goal is to find a pair of sums from the two lists whose sum matches the desired 
target. This can be achieved by keeping two pointers to the two lists, and marching linearly 
through each (one in increasing order, and the other in decreasing order). If the two lists are 
exhausted but no matching sum was found, then another random 5 is tried. The run time per 
one choice of 5 is dominated by sorting all h/2 sums of both S and its complement. This will 
require 2 • In (J^) operations. On the average, about choices of S have to be made. The 
overall expected running time will thus be 

(p/2\ (p/2\ (g) _ 2(E) In (ft 
2 \h/2) l %/2)^- Q • 

For p = 197, h = 24 the expected number of operations is 3.466 • 10 17 > 2 58 , so such brute force 
attack is totally impractical 1 . 

Even though none of these attacks seems to produce a threat to the system security, other 
attacks might be successful. We urge the reader to examine our proposal for as yet undiscovered 
weaknesses. 
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Appendix 1: Discrete logarithms and factorization. 

We'll show here how the problem of factoring "paired primes" n = p • q (p,q primes) is 
polynomially reducible to that of finding indices in Z n . Let o € Z" n . Since = 1 (mod n), 
we have 

The index of a p+T ~ 1 to base a is a divisor of p + q — 1 , most likely p + q — 1 itself. Hence a discrete 
logarithm subroutine will output p + q — 1 when given a n (mod n) as input. Having n = p • q 
and p + q — 1, p and q can easily be determined. 
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(Extended Abstract) 

1. INTRODUCTION 

It is well known that if one can factor the modulus R = pq (p,q 
distinct large primes) of the RSA cryptosystem [4], then the system can 
be broken. However, it is not known whether the problem of breaking an 
RSA cryptosystem is equivalent in difficulty to factoring R. Rabin [3] 
has given a public-key encryption method which is as difficult to break 
as it is to factor R, but the decryption process produces four possible 
candidates for the correct message and only one of these is the correct 
one. If the actual message being transmitted has little or no internal 
redundancy (e.g., a cryptographic key) there is no way for the sender to 
allow the recipient to identify the correct message being transmitted. 
Also, in [1] Lipton has pointed out some other weaknesses in this scheme 
when it is used as a cryptosystem. Indeed, Rabin only advocated its use 
as a signature system. 

In [5], Williams described a modification of the RSA technique for 
which it can be shown that breaking the system is equivalent in difficulty 
to factoring a special form of R (viz. R = pq, where p : 3 (mod 8) , 
q 2 7 (mod 8) ) . In this system the decryption procedure yields only one 
message, the one being transmitted. Also, if one uses a large value of 
e, Lipton 's attacks will fail. The difficulty with this system is the 
fact that R must be of the above-mentioned special form. In this paper 
we describe a new method of public-key encryption, which has all of the 
advantages of that given in [5] but for which R can be a product of 
two arbitrary primes. 

2. SOME PROPERTIES OF THE FUNCTIONS X , Y 

n n 

Instead of raising an integer to a power modulo R, as is done in 
the RSA case, we raise a number a of the form W 1 + /C W 2 to a power 
modulo R. Here W^, W ^ C are integers. We effect this by means of 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 66-70, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 
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the functions X and Y , defined by 
n n - 1 

X n (W 1 ,W 2 ) = (a n + a n )/2 

Y n (W 1 ,W 2 ) = W 2 (a n - a n )/(a - a). 

Here a = - /c W 2 and we easily see that 

a n = X n (W 1 ,W 2 ) + /C Y n (W 1 ,W 2 ). 

Both functions X and Y can be computed modulo R in O(log n) 
n n 

multiplication and division operations. (See, for example, Lehmer [2]). 
We require the following 

Theorem . Suppose p and q are odd primes and 
i) - C W 2 5 1 (mod R) ; 

ii) The Legendre symbols = (C/p) = - p(mod 4) and 

€ = (C/q) = - q(mod 4) ; 
iii) gcd(CW 2 ,R) = 1; 
iv) The Jacobi symbol (2(W 1 + 1)/R) = 1; 
v) ed = (w + l)/2 (mod w) , 
where 

w = (p - e_ ) (q - e )/4. (1) 

Then we must have 

X 2ed (W l' W 2 ) ~ SW 1 

Y 2ed (W l' W 2 ) = sW 2 (mod R) ' 
where I s I = 1 . D 



3. ENCRYPTION AND DECRYPTION. 



To produce his encryption key a designer of our cryptosystem selects 
two large primes p and q and forms their product R. He then selects, 
by trial, some integer C such that 

(C/p) = - p, (C/q) = - q (mod 4). 

Again, by trial, he finds some integer A such that the Jacobi symbol 

(A 2 - C/R) = - 1. 

Finally, for a randomly selected e such that gcd(e,w) = 1 (w given 



68 



by ( 1) ) , he solves 

ed = (w + l)/2 (mod w) 
for d. 

The public encryption key is now {R,e,C,A} and the secret decryp- 
tion key is d. Since C and A are usually small, the encryption key 
does not require much more storage space than that required by the RSA 
scheme . 

Let M be any message (0 < M < R) to be encrypted. We put b, = 0 

2 " 
when the Jacobi symbol (M - C/R) = 1 and we put b 1 = 1 when 

(M 2 - C/R) = - 1. Define 

/M + /C when b L = 0 

" = - 

(M + /C) (A + /C) when b- L = 1 . 

We have ( yy/R) = 1 . 
Define T(M) and S(M) by 

a = y/y = T(M) + S(M) /C (mod R) . 

(We say that (U + V/c)/W = T + S/C (mod R) when UW -1 = T and 
VW -1 5 S (mod R) ) . Note that 

1 = oa = T(M) 2 - CS(M) 2 . 

Further, 

2(T(M) +1) = (y + y) 2 (yy) _1 (mod R) ; 

thus 

(2(T(M) + 1)/R) = 1. 
If we put b 2 = T(M) (mod 2) (b 2 = 0,1), we can encrypt M by computing 

E(M) ; X e (T(M) ,S(M) ) {Y e (T(M) ,S(M) ) } _1 (mod R) , 

where 0 < E(M) < R. 

If E(M), along with b^^ and b 2 , is sent to the designer of the 
cryptosystem, then he can compute 

U = X 2e (T(M) ,S(M) ) = (K 2 + C) (K 2 - C) _1 

V 5 Y 2e (T(M) ,S(M) ) = 2K(K 2 - C) ~ 1 (mod R) , 

where K = E(M) . Only he can now determine 
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X d (U,V) i X 2ed (T(M) ,S(M)) 

Y d (U,V) = Y 2ed (T(M) ,S(M) ) (mod R) . 

By the theorem we know that 

X d (U,V) = ST(M), Y d (U,V) E sS(M) (mod R) , 

where |s| =1. With the value of b 2 , it is easy to find s and 
with b 1# it is easy to determine M from knowledge of both T(M) 
and S (M) . 

4. SECURITY. 

Suppose that P is some algorithm which decrypts 1/k of all 
ciphertexts produced by our cryptosystem. Find some Z such that 

(Z 2 - C/R) = - 1 

and 

gcd(Z,R) = 1. 
Compute 

K = X e (T,S) Y e (T,S) _1 (mod R) , 
where 

T + S/C = (Z + /C)/(Z - /C) (mod R) . 

With probability 1/k, P will determine some M such that 
P(M) = K. Now for N one of M or C~^M (mod R) , we have 

(N 2 - C/R) = 1 

and 

Z(N 2 + C) = N(Z 2 + C) (mod R) ; 

hence, gcd(N - Z,R) = p or q and R can be factored. Thus, anyone 
who can decrypt messages sent on this system can factor R. 

We must emphasize, however, that since the method of proof utilized 
here is constructive, this system is susceptible to a known ciphertext 
attack. Thus, it must be used with certain protocols. Lipton's 
types of attack, when applied to this scheme, will also fail when e 
is large; indeed, even if one of the e's is 1, his first attack 
will fail. 
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This scheme can also be used to produce signatures, but in this 
application e must not be 1. 

The full details of the work summarized here will appear in a 
forthcoming issue of Cryptologia. 
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1. The Problem. 

Consider the finite field having q elements and denote it by GF(q). Let a be a generator for the 
nonzero elements of GF(q). Hence, for any element 6*0 there exists an integer x, Osx^q—2, such that 
b=a'. We call x the discrete logarithm of b to the base a and we denote it by x = U>g a b and more simply 
by log b when the base is fixed for the discussion. The discrete logarithm problem is stated as follows: 

Find a computationally feasible algorithm to compute hg a b for any b£GF(q), b*Q. 

Several cryptographic schemes have been proposed which base their security on the intractability of the 
discrete logarithm problem for large q. 

In 1976 Diffie and Hellman [7] proposed the following public key passing scheme. Let A and B be two 
parties who wish to share a common key K. The finite field GF(q) and a generator a are stored in a public 
file. Party A generates a random integer a and computes a". Party B generates a random integer b and 
computes a*. A sends to £ the field element a" and B sends to A the field element a*. A computes 
(a b )"=a ab and B computes (a a )*=a°*. A and B now share the common key K=a ab . 

Recently, ElGamel [8] has proposed a public key cryptosystem and an authentication scheme which is 
based on discrete exponentiation. We describe only the public key system here. 

Consider GF(q) generated by a. The message space M will consist of all nonzero field elements. Par- 
ty A generates a random integer a and stores a" in a public file. Suppose party B wishes to send a message 
m to A. B generates a random integer k and computes (a")* (since a" is made public this is possible), a* 
and ma"*. B sends A the pair (a*,a a *m). Since A knows a he can compute (o i ) a =a a *, and, hence, obtain 
m horn a°*m. This scheme and the Diffie- Hellman method appear to have the same degree of security. It 
remains an open problem as to whether or not the security of these systems is entirely dependent on comput- 
r Research supported in part by the Department of Commnnicatiom under contract # 20ST 36001-4-0853. 
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ing discrete logarithms. 

A number of special purpose algorithms for computing discrete logs have appeared in the literature 
(see, for example, [2], [9], [11], [14]). In this article we address only the most general methods currently 
available. 

In the next three sections we describe three subexponential algorithms for computing logs. The algo- 
rithms of sections 3 and 4 are variants of the one presented in section 2. These algorithms are referred to as 
the index-calculus algorithms in an excellent and in-depth article on the subject by Odlyzko [13]. 

For the purposes of this paper we restrict our discussion to GF (2"). (The algorithms of sections 2 and 
3 apply more generally.) We think of the elements in GF (2") as polynomials of degree at most n—1 over 
CF(2) and multiplication is performed modulo some fixed irreducible polynomial of degree n over CF(2). 
The examples cited in this paper refer to GFtfp- 1 ) as it has been of some interest recently. (See, for exam- 
ple, [15], [17]). 

2. Adleman Algorithm 

The basic ideas involved in the following subexponential algorithm for computing discrete logarithms 
are due to Western and Miller [16]. Adteman [1] independently discovered the algorithm and partially 
analysed its computational complexity. 

The algorithm consists of two parts. The first part requires the construction of a large database of loga- 
rithms. This database only needs to be constructed once for GF(2"). Part 2 of the algorithm computes indi- 
vidual logarithms. 

Part 1 (Database). 

Find the logarithms of all irreducible polynomials of degree at most b where & is a fixed positive in- 
teger determined by GF(2"). 

Part 2. 

To find the log of an element g(x)€Gf (2"), g(x)*0, generate a random integer a and compute 
Hx)=g(x)a"(x) where o(x) generates GF(2"). Now, factor 

*« = II Pi''W- 
i-i 

If each irreducible factor p t (x) has deg Pj(i)sA then 

t 

which can easily be evaluated by looking up log p,(x), ls/sr, in the database. If not all p t (z) have 
deg p t (x)^b then generate another random integer and repeat. 
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We define p(n,b) to be the probability that a randomly chosen polynomial of degree exactly n has all of 
its irreducible factors with degrees of at most b. If N(n,b) is the number of polynomials of degrees exactly 
n such that each has all of its irreducible factors with degree at most b then 



and the expected runtime of the second part of the algorithm should be approximately p(n,b) . Odlyzko 
[1] shows that 



Let S be the set of all irreducible polynomials of degree at most b. In order to find the logarithms of 
all elements in S we set up a system of | S\ linear equations in | S| unknowns where the unknowns are the 
logarithms. We can find this system of equations by applying part 2 of the algorithm to each element of S. 
The resulting system must be solved over the integers modulo 2" - 1. The number of iterations of part 2 to 
produce the necessary equations is approximately |S|p(n,6) -1 . For GF (2 127 ) this quantity is minimized by 
6=23. Since there are 766,150 irreducible polynomials of degree at most 23 then we require this many 
equations. A random polynomial of degree at most 126 will factor into the database with 6=23 with proba- 
bility .000138. This means that to produce the desired set of equations will require about 5,549 x 10 6 itera- 
tions of part 2 of the algorithm. 

The next section gives a variant of the Adleman algorithm which improves the situation for Gf (2 127 ). 

3. The Wittrtoo Algorithm 

This algorithm (see [3]) differs from the former algorithm in two ways. In part 2 where the polynomial 
h( x )-g( x ) a "( z ) is factored this algorithm applies the extended Euclidean algorithm to the polynomials h(x) 
and /(*) (J(i) is the irreducible polynomial of degree n which defines GF (2").) so that we can write 




where (s(x),t(x))= 1 and deg s(x),deg i(i)Sy. One observation we can make at this point is that every po- 
lynomial h(x) of degree at most n (n odd) can be written uniquely as a quotient of polynomials where each 
has degree at most and which are relatively prime. If both i(x) and t(x) factor into S then tog g(x) is 
readily computed by table lookup. 

The advantage to this algorithm over the previous one is that it is more probable for two polynomials of 
degrees at most y to factor into the database than it is for one polynomial of degree n. Let N(b,i,j) be the 

number of pairs of relatively prime polynomials (A(x),B(x)) such that deg A(x)=*i,de g B(x)=j and both are 
smooth with respect to b. (By smooth we mean that the polynomial factors into irreducibles all of whose de- 
grees are at most b.) For each irreducible polynomial b(x) with degree ksb define the enumerator of fc(x) 




(i+<Xi))J 



and that the asymptotic ninning time of the entire algorithm is exp (c x (n log it)*). 



by 
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(l+y k +y 2l + ■ ■ ■ + r*+z 2 *+ • ■ • )• 

Letting l k be the number of irreducible polynomials of degree k we obtain the generating function for the 
N(b,iJ) as 

Fb.t) = n fi >* + £ 2* 

4-1 (1-0 l-l 

= n[(i->*'*V(i->*)(i-r i )r' (i) 

i 

= E{y)E{z)/E{yz) 

where £(>) is the generating function for one smooth polynomial. The probability that an ordered pair of 
relatively prime polynomials (A(x),B(x)) each of degree at most ~ are both smooth with respect to ft is 

In the case of GF(2 U1 ) Coppersmith [6] has evaluated this expression for ft =17 and found 
p«(127,17) = 71^0 " 111 OTder to iim P lif y calculations we approximate p*(n,b) by [p(ii,ft)] 2 . For GFQP*), 

W127 ' 17]2S W 

In the following table we list these probabilities for ft ranging between 1 and 30 and also we list the 
probabilities associated with the Adleman algorithm. The table also includes the expected number of itera- 
tions to produce enough equations to construct the database for each value of ft in the given range. 

We see from the table that the number of iterations for the database is minimized by ft =20. For our 
implementation we selected ft = 17 in order to keep the. system of equations manageable. 

The second difference in the Waterloo algorithm is in producing the equations for the database. We 
did not rely entirely on Part 2 of the algorithm. A number of equations were readily obtained by several 
techniques which make use of the fact that squaring is a linear operator in the field. Our principle technique 
here is referred to as the generation of systematic equations. 

We briefly describe this technique with regard to GF(2 U7 ) generated by f(x)=x w +x+l. Since f(x) 

divides x m +x 2 +x, it is easily shown that x* , 0sisl26, can be written as e = 2 if 2 * where ^€{0,1} and 

so the log of any element of the form e can be readily found. Similarly the log of any element of the form 

1-1+ 2 if? where Tfj€{0,l}, -lsjs6 can be found. This gives 31 equations where the maximum de- 

gree is 16. Related to this idea is the observation that if u(x) is any irreducible polynomial of degree d then 
the degrees of all irreducible polynomials of w(ii(x)) are divisible by d. Using mis method we obtained 142 
linearly independent equations involving the 226 logarithms of irreducible polynomials of degree s 10. 
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Probability «ad expected number of mm for the new and Adleman algorithm, n=127. 



New algorithm Adleman algorithm 



Total no. of 
Degree irred. polys 


Probability 




Expected no. 
of runs 


Probability 




Expected no. 
of runs 


1 


i 


1.27141469E 


-32 


7.8652544E + 31 


0.47772090E- 


•34 


0.20932720E + 35 


*> 
2 


2 


1.61023467E 


-30 


1.24205499E + 30 


0.10391370E- 


•32 


0.19246730E + 34 


3 


4 


1.42003032E 


-27 


2.81684126E + 27 


0.10686600E- 


•30 


0.37430020E + 32 


* 
4 


-T 
/ 


1.15313844E 


-24 


6.07038995E + 24 


0.16022050E- 


■28 


0.43689770E + 30 


5 


• ^ 
1 J 


3.4632 1796E 


-21 


3.75373429E + 21 


0.12806100E- 


•25 


0.10151400E + 28 


6 


22 


2.43083741E 


-18 


9.05037906E+18 


0.60489980E- 


•23 


0.36369650E + 25 


7 


40 


1.75009226E 


-15 


2.28559379E + 16 


0.58661830E- 


•20 


0.681 87380E + 22 


8 


/0 


2.99279106E 


-13 


2.33895379E+14 


0.20402690E- 


■17 


0.34309190E + 20 


fv 

y 




2.39477444E 


-11 


5.26145586E+12 


0.40463370E- 


■15 


0.31139250E+18 






7.73424039E 


-10 


2.90914154E+11 


0.3 1781 350E- 


13 


0.7079622OE + 16 


1 1 


411 


1.425 17804E 


-08 


2.88385022E+10 


0.13612270E- 


11 


0.30193290E + 15 


12 


1 A A 
/40 


1.48157461E 


-07 


5.03518348E + 09 


0.29555160E- 


10 


0.25240930E + 14 


13 


13 /O 


1.0660927E- 


06 


1.29069451E + 09 


0.41129290E- 


09 


0.33455440E+13 


14 


2537 


5.46899677E 


-06 


463887639 


0.37461550E- 


08 


0.67722710E + 12 


15 


4/iy 


2.19028276E 


-05 


215451634 


0.24991280E- 


07 


0.18882570E + 12 


16 


8799 


7.12191038E 


-05 


123548311 


0.12723630E- 


06 


0.69154690E+11 


17 


16509 


1.96662481 E 


-04 


83945854.4 


0.52428530E- 


06 


0.31488570E+11 


Is 


31041 


4.71015488E 


-04 


65902291.5 


0.17992970E- 


05 


0.17251720E+11 


19 


58635 


1.00764675E 


-03 


58190035.4 


0.53284450E- 


05 


0.11004140E+11 


20 


111012 


1. 9626091 2E 


-03 


56563479.1 


0.I3895770E- 


04 


0.79888990E + 10 


21 


210870 


3.54177251E 


-03 


59537985.4 


0.32587350E- 


04 


0.64709140E+10 


22 


401427 


5.96621694E 


-03 


67283339.5 


0.69740460E- 


04 


0.57560100E + 10 


23 


766149 


9.45338803E 


-03 


81044911.9 


0.13806940E- 


03 


0.55490O6OE+1O 


24 


1465019 


.0142135998 




103071637 


2.25535770E- 


03 


0.5737345OE + 1O 


25 


2807195 


.0204564492 




137227872 


0.44523690E- 


03 


0.63048900E+10 


26 


5387990 


.0283794933 




189855046 


0.73751900E- 


03 


0.73054240E + 10 


27 


10358998 


.0381757153 




271350462 


0.11680410E- 


02 


0.88686300E+10 


28 


19945393 


.0500248252 




398709899 


0.17773340E- 


02 


0.11222780E+11 


29 


38458183 


.0640949758 




600018684 


0.26095230E- 


02 


0.14737250E + 11 


30 


74248450 


.0805164802 




922152208 


0.33185230E- 


01 





Another example of ™Hti; use of the linearity of squaring is a method referred to as weight manipula- 
tion [4] (for more details see [5]). Define p(x)=x m +g(x) where g(x) has degree k«m. Define d to be 
the largest integer such that 2 d msn. Let s = n— 2 i m and consider 

It follows that 

deg l{x) = max {kV.deg (/(x)+x")}. 

If p(x) and t(x) are smooth with respect to b then we obtain an equation. For example, in GFC2 127 ) gen- 
erated by /(x)=x u7 +x+l takep(i) = l+x 7 and d=7 then *= 15. This gives 

<(i)=i 15 (1+i 7 ) 16 =1+x+x 13 

Clearly, both <(x) and p(x) are smooth with respect to fc=17. A similar result can be developed for 
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(WO) 2 ** 1 . 

Coppersmith [6] has extended the idea behind these techniques and has obtained striking improvements 
in the index calculus methods. We should mention that asymptotically the Waterloo algorithm is of the same 
order (exp (c 2 (n log n)*)) as the Adleman algorithm but for fields <?F(2") of practical interest it gives much 
better running times. The Coppersmith algorithm is described in the next section. 

The database for GF(2 nl ) was constructed at Denelcor using their HEP computer [12]. A HEP con- 
sists of from one to sixteen process execution modules and each is a pipelined processor with a depth of 8. 
Since the HEP can run a given program in parallel with itself, the index-calculus algorithms are ideally suited 
to this architecture. Several copies of the algorithm were run in parallel to produce linear equations which 
when added to those found systematically and by weight manipulation would yield 16,510 linearly indepen- 
dent equations in the 16,510 unknown logs. Sixteen copies of the algorithm in parallel appeared to be op- 
timal. The database took about 7 hours to build and computing individual logs using Part 2 takes under 1 
second on the HEP. Having the database our implementation on a VAX11/780 takes about five minutes per 
logarithm. 

As mentioned in the previous paragraph, the index calculus algorithms are ideally suited to parallel pro- 
cessing. If we run n copies of the program in parallel then the logarithm is obtained from the copy which 
finishes first. We compute the expected number of iterations to find the logarithm of an element given that 
n copies of the algorithm are running simultaneously. Let p be the probability that an iteration will su cc e e d 
in computing the logarithm and let q= I— p. Suppose i of the processes complete on the k A iteration and the 
remaining n — i do not. The probability of this event is 

(w t - 1 )'[i-5>f , " 1 ) n ' 

and the probability that at least one of the processes finishes on the iteration is 

i(i)[M*~ 1 ]'[l-iM , - 1 ]" _ '. (') 

Since p 2 = l-<7*. (*) equals <7 (t-1 '*[l-<j' 1 ]. To compute the expected number of iterations we 
evaluate 

ifcjC-^i-VMi-,")- 1 . 

Since <j=l-p then it follows that (l-<?") -1 =(np) -1 as one might expect. This expected numbeT of itera- 
tions did occur when we made experimental runs on the HEP. 
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4. The Coppersmith Algorithm 

The algorithm described in this section makes extensive use of the linearity of squaring in GF(2"). The 
method applies also to p* powers in GF(p n ) for n>l. 

Coppersmith's modification [6] of this basic index-calculus algorithm of section 2 improves substantially 
the performance of both para 1 and 2. Let's first consider part 1. 

The algorithms of the previous sections and the algorithm given here rely cn the fact that polynomials 
of degree k tend to factor into polynomials whose degrees are "small". In order to generate enough equa- 
tions to construct die database for GF(2") select pairs of polynomials (a(x),b(x)) such that dega(x)sd and 
degb(x)*d where d<b and the gcd of a(x) and b(x) is 1. It is easily seen that there are precisely 2 2rf+1 such 

pairs. Let k be a power of 2 near Vn/b and choose A to be the least integer greater than y. Suppose also 

that the generating polynomial for the field has the form f(x)=x"+g(x) where g(x) has low degree. Let 
h(x)=x hk =g(x)x hl -'< and define 

c(x)=x\*(x)+fl(x) 

and 

rf(x)=[e(x)]*. 

If both c(x) and d(x) are smooth with respect to b, then we obtain an equation for the database. In the case 
n-127 we take 6=17, t=4, A=32 and 4=10. The polynomials c(x) and d(x) have degrees s42. Cop- 
persmith [6] shows that the 2 million possible pairs (a(x),i(x)) yield about 47,000 equations in the 16,510 
unknowns. The above procedure is a variant on the weight manipulation method of the previous section. A 
more direct application of weight manipulation can be described. We illustrate the technique in the case 
CF (2 127 ) generated by /(x)=i 127 +jc+1. Select pairs of polynomials (o(x),6(x)) which are relatively prime 
and such that deg a(i)s7 and deg 6(i)s8. Form the polynomials c(x)=a(x)x 31 +i(x) and d(x)=x 3 [c(x)]* 
where deg c(x)s3S and deg rf(x)s35. If c(x) and d(x) are smooth with respect to fc=17 we get an equa- 
tion. 

We now describe part 2 of the algorithm. Let g(x) be a field element whose log is to be found. Sup- 
pose f=deg g(x). Let k be a power of 2 close to Vn/i and A be the least integer greater than nlk. For ex- 
ample, if n=127, i»= 17 and (=33 then choose i-2 so mat A =64. Finally select d close to 
(r+Vn7i)log n)/2. In our example we take d-12. Choose a relatively prime pair of polynomials a(x) and 
b(x) each of degree such that g(x) divides c(x)=x\i(x)+fc(x). The choices for a(x) and fc(x) can easily 
be determined by solving a linear system of equations over GF (2). Letrf(x)=[c(x)]*. If both c(x) and d(x) 
are smooth with respect to the bound b^=hVb/n then we have at most It irreducible factors of degree at 
most b'^K For each factor with degree >b we iterate this procedure and reduce the bound with each 
iteration. That is, at iteration i, b^=h(bln)~^ . If not both of e(x), d(x) are smooth then choose a new 
pair a(i), b(x) and start again. 

1 2 

The asymptotic running time of this algorithm is computed by Coppersmith [6] to be exp (cn 3 (log n) 3 ) 
which improves the results of the previous two sections. 
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We have implemented part 2 of Coppersmith'* algorithm. The following table display* test results of 8 
samples each consisting of 100 randomly generated polynomials of degree at most 126. The degree bound b 
is always 17 but for each sample we varied the Coppersmith degree bound b' and the value of d. We have a 
column labelled "Total Number of Basic Iterations". This refers to the number of iterations required to ob- 
tain smoothness with respect to b' . The column labelled "Total Number of Coppersmith Iteration" is the to- 
tal number of iterations to obtain smoothness with respect to degree bound 17 for those polynomials with de- 
gree between 17 and b'. We also found that in this case a single step reduction of the Coppersmith reduc- 
tion was optimal. 



V 


d' 


Total 
number 
of basic 
iterations 


Total 
number 
of 

Coppersmith 
iterations 


Average 
time 
in sec 

per log 


20 


12 


99,496 


6,731 


57 


20 


13 


72,519 


7,262 


44 


21 


12 


98,245 


9,087 


49 


21 


13 


39,327 


9,995 


19 


22 


13 


38,390 


11,859 


28 


22 


14 


24,741 


16,299 


28 


23 


14 


20,296 


20,726 


27 


23 


15 


12,857 


27,045 


47 



From the table it appears that i>'=23 and d= 14 is optimal. With these values we ran a sample of 500 
randomly generated polynomials with the following result. The column headings are the same as in the pre- 
vious table. 

| 23 | 14 | 120,661 | 101,563 | 26.6 j 
For GF(2 127 ) we refer to an equation of the form 

[CW1 4 = [A(x)x^+B(x)}* 

as a Coppersmith equation. As a direct generalization of the weight manipulation technique discussed earlier 
we consider equations of the form 

x'[C(x)]* = x u7 - 4 '[A{x)x*+B<x)}* 

and refer to these as underflow equations. With the degree of A(x) and fl(x) at most 9 in the Coppersmith 
equations we generated 19461 equations for the database in 8. 1 hours on the VAX. With the degrees of 
A(x) and B(x) at most 8 we obtained 7777 equations in 2.23 hours. The following table lists results when 
underflow equations were used. The columns labelled deg A and deg B refer to the highest degree used for 
A and B respectively. For polynomial A we require that it has a constant term so that no Coppe rsm ith equa- 
tions are generated this way and the equations obtained from distinct rows are all different. 
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Value of 


Number of 


deg A 


degB 


i 


Equations 


(Hours) 


8 


9 


31 


7891 


2.89 


9 


8 


30 


7193 


2.88 


10 


7 


29 


5975 


2.80 



If we use the Coppersmith equations with the degrees of A(x) and B (x) at most 8 and we use the underflow 
equations given in the first two rows of the table we get 22,861 equations in 8 hours or one equation every 
. 3499x 10~ 3 hours. This is approximately a 16% improvement over collecting the 19461 equations using the 
Coppersmith equations with deg A(x), and deg JJ(r)s9. This data was obtained by running our program on 
a VAX1 1/780 at the University of Waterloo. The program is written in Fortran 77 with the gcd routine* in 
assembler. 

5. Conclusion 

We have described the basic index -calculus algorithm and two variants of it. The basic algorithm and 
the Waterloo algorithm both carry over to GF(p), p a prime. Using the Euclidean algorithm for integers it 
is easy to show that given an integer a, lsosp— 1, that there exist integers i and t such mat as—t(modp) 
and 1*| j| , fSp-1. 

As for GF(2") it is dear that for n=127 this field is insecure and should be avoided in cryptographic 
schemes. In [13] Ocflyzxo analyses the performance of the Copp ersm ith algorithm for various values of n 
running on various types of equipment. The conclusion seems to be that an ambitious effort might be able 
to produce the necessary database for it* 1280. 
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ABSTRACT 

This paper presents the results of a simulation of an analog 
encryption scheme. The scheme, introduced in 1979 by Aaron Wyner of 
Bell Telephone Laboratories, provides secure, accurate scrambling of 
speech waveforms, while conforming to the bandlimitedness of a 
telephone channel. The simulation confirms the scheme's theoretical 
properties, based on numerical measures and on listening to encrypted 
and decrypted waveforms. 

INTRODUCTION 

Security in communications is increasingly important. While the 
thrust of research is in digital encryption methods, analog encryption 
is also of growing interest. Such encryption is useful, for example, 
in transmission to mobile telephones in automobiles, and to cellular 
radios . 

Analog encryption for telephone speech poses special problems. 
Unlike digital encryption, it must be performed in real time. The 
result of encryption must conform to the bandwidth of the telephone 
channel, so that no information is lost. And it must be secure. 

A scrambling scheme introduced by Aaron Wyner of Bell Telephone 
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Laboratories CWyner, 1979a and 1979bJ answers a theoretical question: 
Are bandlimitedness and security mutually exclusive? The answer is a 
theoretical "yes"; we present here a practical "yes," as confirmed by 
a software simulation of the scheme. 

Let us now define a scrambler, since it is a term we will use 
frequently. One may view a scrambler as a black box whose input is an 
element of one space, and whose output is an element of another. The 
black box computes a one-to-one mapping from the input space to the 
output space, based on some secret quantity, or key. 

Associated with the scrambler is a descrambler , a black box that 
computes a one-to-one mapping from the output space to the input 
space. The mapping is the inverse of that of the scrambler, when the 
secret quantity or key is the same. Without the key, however, it is 
computationally difficult to compute the inverse. 

The input and output spaces may be bit-strings of a given length, 
or a given number of samples of an analog signal. Although the 
samples of an analog signal can be considered as bit-strings (for 
instance, by concatenating the bits representing the samples), we 
choose to differentiate between analog and digital scramblers, based 
on the interpretation of the inputs and outputs. 

An practical scrambler, digital or analog, must have two 
characteristics: security and speed. An analog scrambler must also 
be accurate. With regard to the model here, such a scrambler must 
conform to the bandlimitedness and noise properties of a telephone 
channel. Speed also is critical, because an analog scrambler for 
telephone communication must operate in real time. 

RESULTS OF THE SIMULATION 

The simulation of Wyner's speech scrambler gives good results. 
Accurate decryption and secure encryption are shown to be achievable 
with reasonable processor power. In particular, a signal-to-noise 
ratio of about 13 &B is possible with a processor that can perform a 
multiply-and-add in 4 us. 

Several parameters define the operation of the scrambler. These 
parameters are adjusted to conform to the characteristics of the 
telephone channel, the quality of output desired, and the available 
processor power for the scrambler. A set of parameters that provides 
high-quality output and requires reasonable encryption speed for a 
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typical telephone channel is the following: 

o block size — 32 points 

o sampling rate -- 8000 per second 

° input band — CO, 27003 

° output band — C300, 32003 

The significance of each of these parameters is described below. 

The main test of the scrambler is the encryption and decryption 
of an utterance of the word "potato." A qualitative, and somewhat 
subjective, analysis of the scrambler provides encouraging results. 

The decrypted signal sounds clear and accurate, with little 
difference in quality from the original signals. The transmitted 
signal, as expected, resembles white noise. One is able, however, to 
identify vowels when hearing the waveform. The signal sounds like 
"zhuh-zhuh-zhuh, " one "zhuh" for each vowel. This problem, a result 
of orthogonality in the scrambler, is discussed below. 

Figures 1 and 2 show the waveforms and spectrograms for the 
transmitted and decrypted signals. The figures are hardcopies of a 
Lisp machine display using a speech analysis system called Spire, 
which was developed at the MIT Speech Laboratory. 

The transmitted signal's spectrogram is distributed nearly 
uniformly across the desired band, but not across time. Note that its 
short-time energy resembles that of the decrypted signal. The 
decrypted signal's spectrogram looks very much like speech, with the 
vowels (0 and A) clearly visible. 

The results, although favorable, are not complete. Certain 
simplifications in the software model lead to results perhaps better 
than those attainable in practice. Nonetheless, high quality with 
reasonable processor power is still possible. The simplifications are 
explained below. 

CHOICE OF PARAMETERS 

Four parameters determine the operation of the scrambler. Their 
values determine the running time of the scrambling algorithm, the 
accuracy of transmission, and the level of security achieved. 
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Figure 1 -- Spectrogram of trasmitted waveform 
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Figure 2 — Spectrogram of decrypted waveform 
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o block size — The scrambler operates on blocks of samples, 
producing N outputs for every N inputs. The block size 
determines the security, and also the speed requirements. 
Typical values might be 32, 64, or 96. We choose 32 to 
minimize speed requirements. 

o sampling rate — A new sample of the input waveform is taken 
every T seconds. For speech, a rate of 8 kHz (T = 125 us) is 
about the minimum to avoid aliasing. Higher rates are 
generally not required, but they may improve the quality of 
the decrypted signals. 

o input band — This is the frequency band used to determine 
the basis vectors for scrambler input (and hence descrambler 
output). It i3 generally selected to maximize the amount of 
input energy included. For small N, much energy appears as 
DC, so a low end of 0 is chosen. The high end is at 2700 to 
provide a bandwidth narrower than that of the output. 

° output band — This is the band used to determine basis 
vectors for scrambler output and descrambler input. It is 
generally wider than the input band, and conforms to the 
characteristics of the telephone channel. We use E300, 
32001], corresponding to the simulator's channel model. 

Design of most of the scrambler depends not on the actual 
frequencies — such as C300, 30003 — but on their discrete equivalents, 
those scaled by the sampling period. With the parameters above, the 
equivalent band would be C.0375, .3753. In the discussion that 
follows, both input and output bands are loosely referred to as CW1, 
W23, where Wl and W2 are in the range CO, .53. The quantity W 
represents the bandwidth, or W2 - Wl. 

HOW THE SCRAMBLER WORKS 

The bandlimitedness of the telephone channel constrains the 
output space of the black box scrambler model. Only those outputs 
resembling speech in bandwidth may be produced. Similarly, only those 
inputs of such form should be expected. Thus a mapping between the 
speech-like subspaces of the sets of all samples must be provided. 

We can approximate those subspaces by saying they correspond to 
the band CW1, W23 within the frequency spectrum on CO, .53. Thus, 
while the spaces obtained from N independent samples may have 
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dimension N, the subspaces--constrained to be near zero outside the 
selected band — really have dimension 2WN. With the parameters above, 
this quantity is about 22 for the input band, and 23 for the output 
band. 

The definition of bandlimited also includes indexlimited in the 
context of a speech scrambler. Each block of samples, if considered 
alone with samples in all other blocks set to zero, should be 
bandlimited for sufficiently large N. This means the discrete-time 
Fourier transform (that is, the transform from an infinite set of 
discrete values to an infinite, continuous waveform) of the block 
considered alone, should be roughly limited to CW1, W23. 

Assuming that the subspace we want is of dimension 2WN, we must 
find a way to describe it. A naive description involves the discrete 
Fourier transform (that is, the transform from a set of discrete 
values to a set of discrete values). Perhaps the subspace is all sets 
of samples whose DFT is zero, except at those 2HN points in the 
desired band. Since the transform is one-to-one, the subspace would 
be the correct size. 

The solution is not quite so simple. We seek sequences that are 
both indexlimited and bandlimited. Those whose DFT is zero, except at 
certain points, include sine waves. Certainly these are not 
indexlimited. 

Mathematical physics has a set of functions called prolate 
spheroidal waveforms. These waveforms are the only eigenf unctions of 
the finite Fourier transform (that is, the transform from a 
continuous, infinte waveform to a continuous waveform over CO, 1) ). 
Recall that eigenf unctions are those that, when transformed, are but 
scaled over a certain range--in this case, CO, 1). 

The discrete counterparts of the waveforms — discrete prolate 
spheroidal sequences --are similarly related to the discrete-time 
Fourier transform. Here the relationship is somewhat different. The 
sequences are "eigensequences" not of the transform itself, but of 
bandlimiting and of indexlimiting. 

Specifically, when a sequence, defined by parameters N, Wl and 
W2, is bandlimited to CW1, W23, it is only scaled in indices CI, tn. 
The scaling is by the eigenvalue corresponding to the eigenvector. 

Recalling digital signal processing, it is seen that to bandlimit 
a sequence is the same as to convolve the sequence with the 
non-causual impulse response of an ideal filter. For applying the 
response to a finite set of points, this is equivalent to 
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multiplication by a matrix derived from the impulse response. The 
eigenvectors of such a matrix are the eigensequences above. 

The key result is that the eigenvalues fall into three 
categories: those close to 1, those close to 0, and others between 1 
and 0. The eigenvalue represents the amount energy in the desired 
band CW1, W23. The majority of values are close to 1 or 0; 2WN -such 
values are close to 1. The corresponding 2WN eigenvectors are the 
basis of the subspace. 

An example of prolate spheroidal sequences is given in Figure 3. 
The sequences, their discrete-time Fourier transforms and their 
eigenvalues are shown, with N = 8 and band C.0375, .3753. Notice the 
high concentration of the first four sequences, and the low 
concentration of the last two. 

It remains to be shown how to use these discrete prolate 
spheroidal sequences to scramble speech. Since 2WN sequences form an 
approximate basis for the desired subspace, we can compute for some 
set of N samples a weight corresponding to each sequence. The weights 
are easily found by dot-products. 

We know that any combination of the 2WN sequences will remain 
bandlimited. Hence the weights computed may be scrambled in any 
fashion, and a new set of samples produced. Scrambling the weights by 
an orthogonal transformation is most accurate, because any error in 
computing the weights is not increased. 

The security comes from the orthogonal transformation. 
Multiplying the weights, represented as a 2WN-element vector, by a 2WN 
x 2WN matrix, is equivalent. The matrix may be constructed randomly, 
based on a sequence of random numbers initiated by a secret key. The 
receiver, knowing the key, generates the same sequence of random 
matrices, and hence can reverse the orthogonal transformations. 

One unfortunate result of the orthogonality is that the 
short-time energy of the output of the scrambler is the same as that 
of the input. This allows an adversary to differentiate between 
vowels and consonants. This problem is easily solved by adding a 
dummy waveform to the output to maintain a constant energy. 

Considering the scrambling scheme as a series of matrix 
multiplications, we can estimate a running time. The transformation 
to prolate spheroidal weights is a 2WN x N matrix by N x 1 vector 
product. The 2WN x 2WN matrix by 2WN x 1 vector product follows, then 
reconstruction using a N x 2WN matrix by 2WN x 1 vector product. 
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The serier of multiplications is equivalent to an N x N matrix by 
N x 1 vector product. This requires N2 multiply-and-add operations 
for every N samples. Hence one such operation is required each T / N 
seconds, giving the 4 us timing above. 

The simulator, of course, is not so constrained. It operates 
about 4000 times more slowly than a real-time scrambler. To scramble 
"potato" took several hours. 



SIMULATING A MODEL OF THE SCRAMBLER 

Notice the description of the scrambler above said very little 
about its role in a complete transmission system. Here we describe 
the way in which the black box is connected to the world — the input, 
transmission, and output processing. 

Figure 4 contains a block diagram of a model given by Wyner and 
used in the simulation. The diagram has eight components. The 
scrambler and unsc rambler are those described above. The channel is a 
typical telephone transmission channel; the equalizer is typical 
tapped delay-line used to compensate for linear distortion in the 
channel. 



input h + + + + h 

>| SAMPLER |— >| SCRAMBLER |-->| DESAMPLER | 

signal h + + h + + 

I 

V 

transmitted 
signal 
I 
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+ + 
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| SAMPLER | 
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V 

output + + + 1- + ► 
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signal + + + + + + 



Figure 4 -- Block diagram of model for scrambler 
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The model of the scrambler naturally lends itself to 
object-oriented programming. Each module may be represented by a 
unique data type; indeed, even the signals and prolate spheroidal 
eigenvectors may be data types. Such an implementation is easily 
accomplished. 

A Lisp Machine--a minicomputer designed specifically for 
programming in Lisp — is used for the simulation. Its system of 
"flavors" allows construction of the data types to make a block 
diagram, and its graphics capabilities are useful for viewing 
waveforms and sequences as they pass through the block diagram. 

While the Lisp Machine is a sequential processor, the 
"transmission" of signals between modules is like that of a parallel, 
multiprocessor data-flow network. A driver passes input signals to 
the first module, which transmits to other modules, and so on, until 
the signals propogate to modules with no successors. 

It should be noted that the test environment is incomplete. The 
simulated equalizer is built knowing the response of the telephone 
channel. In practice, the equalizer would not be able to compensate 
as well for linear distortion, and errors would be larger. In 
addition, most calculations in the simulator are performed with 
high-precision floating point numbers. In practice, fewer bits may be 
used, and quantization errors in sampling will be present. These 
factors are not included in the simulation. 

WHERE CRYPTOGRAPHY FITS IN 

It may appear that the scrambler is based more on 3ignal 
processing than on cryptography. The selection of scrambling 
matrices, however, is a problem of current interest in cryptography. 
A good overview of present methods for creating scrambling matrices is 
found in CSloane, 19833. 

Two general methods for selecting the random matrices come to 
mind. Precomputation with random selection from a set of such 
matrices is fast; computation at run-time is secure. In either case, 
some sequence of random numbers is needed. The "key" to the black box 
determines this sequence. 

The simulator uses precomputation, since the matrix selected has 
little effect on the accuracy of the system. A set of matrices is 
computed by the Gram-Schmidt algorithm — by orthogonal! zing matrices 
containing normally-distributed random elements. 
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Hadamard matrices (that is, those of size m x m, orthogonal, with 
all elements either 1 / m or -1 / m) , are best suited for run-time 
calculation. Random permutations and sign changes, all quickly done, 
further increase the security. 



CONCLUSION 

A faster implementation of the scrambler is necessary for further 
study, given the slowness of the software model. The slowness is due 
primarily to the object-oriented implementation, which is ideal for 
detailed, step-by-step testing, but impractical for system testing. 
Since construction of a hardware unit in a short time period would be 
difficult, use of a processor with a floating-point accelerator is a 
logical next step. 
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ON ROTATION GROUP AND ENCRYPTION OF ANALOG SIGNALS 
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INTRODUCTION 

The problem of generating random elements in groups has direct application 
to cryptography. For instance, we like to know whether the DES permutations are 
random permutations of the 2^ possible 64-bit words. The whole symmetric group 
is known to be generated by certain k-functions (7). Another example is the 
Wyner voice encryption scheme (12) which requires the production of large 
numbers of random real orthogonal matrices. N. J. A. Sloane has given a survey 
on this problem (11) which has led to the following questions for a given group 
G: 

1 . How does one generate elements of G at random ? 

2. How can one test if certain given elements of G really are random ? 

3. Does a given subset H generate the whole group G ? 

4. If so, how long does it take ? 

In this paper, we consider these questions for the orthogonal group 0(d) for 
any positive integer d. By looking at the Lie algebra o(d) of 0(d) and one- 
parameter subgroups of 0(d), we can find the generation of an arbitrary element 
in terms of one-parameter rotation groups in uniform fashion. The length of 
generation can be determined. Random elements are generated using random 
number generator on the real parameter space of each one-parameter subgroup. 

The structural theory of Lie groups and other groups seems to be useful 
to cryptography. For groups which are not Lie, one may try to embed them into 
Lie groups. The transformation group theory and ergodic theory emerge to be 
also very useful. Ergodic theory can be considered to be a generalization of 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 95-100, 1985. 
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the existing probabilistic and statistical methods. We certainly owe the idea 
to Shannon in his classic paper in 1949 (11 ) on the mixing property of two non- 
commuting operations on some space. We only have to find an operation which is 
the iteration of these two operations to a certain high degree to achieve 
relatively mixing situation in the space. We may point out that a quite simple 
group, such as the real numbers, can act on a space in a very complicated way 
to yield a good cryptosystem. RSA system can be considered in this manner (4) 
as a transformation semigroup. 



ENCRYPTION OF ANALOG SIGNALS 

Wyner's voice encryption scheme offers high fidelity and hi^h security to 
encrypting voice signals over telephone lines. The technique is applicable to 
other analog signals. For the space of approximately bandlimited sequences 
(a(l),...,a(N)), there is known basis x-|,...,x d , ds»2WN, where W < 1/2 is the 
bandwidth, called discrete prolate spheroidal sequences (11). Each waveform is 
sampled every T seconds, where T is less than the Nyquist rate. We take a finite 
segment a = (a(l ) , . . . ,a(N) ) of the sampled sequence and express it by 
d 

a = a.x., 
j=l 3 3 

where the coefficients are determined in the standard way and N is large enough 
to contain most of the energy in the given waveform. 

The scrambling or encrypting is performed by multiplying the coefficient 
vector [iy. . . by a secret d by d orthogonal matrix Q, obtaining 

(b ] ,. . . ,b d ) = (a 1 , . . . ,a d )Q. 

The encrypted sequence is 
d 

b = S b.x-, 

j=l 3 3 

from which the encrypted waveform can be formed. The encrypted waveform has the 
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same bandwidth and approximately the same energy as the original waveform. Wyner 
has shown that if N and d are large enough and matrices Q are chosen independently 
and uniformly from the orthogonal group, then his scheme offers essentially 
perfect security (11), (12). 



THE ORTHOGONAL GROUP 

The orthogonal group 0(d) acting on the d-dimensional Euclidean vector space 
can be characterized by the preservation of the Euclidean inner product. The 
group 0(d) is a Lie group and a Lie subgroup of the general linear group GL(d) of 
all nonsingular matrices. The manifold (Lie group) structure of GL(d) comes from 
the Euclidean vector space R as an open subset. For each Lie group G, there is 
a Lie algebra £ which is a vector space together with a Lie product [ . 3 • ^ or 
matrix Lie groups, the Lie product is the commutator [x,y] = XY - YX, where X and 
Y are just matrices in R 2d . It is easy to see that the Lie algebra of GL(d) is R 2 ' 
The key point is that the exponential mapping exp(tX) brings an element X in the 
Lie algebra £ to an element exp(tX) in the Lie group G. For matrix Lie groups, 

exp(tX) = 1 + (tX) + (t 2 X 2 )/2! + 

where X is any element of in g_. The set of exp(tX) for all t in R is a one- 
parameter subgroup in G and the derivative of exp(tX) at t=0 is X. Thus X is the 
velocity at t=0 of the group exp(tX). 

The orthogonal group 0(d) and its Lie algebra o(d) are well known including 
their complete structures and associated mathematical invariants. The group 0(d) 
is not connected and has two connected components; those having determinant +1 
form S0(d) , while those having determinant -1 form the other component which is 
not a group because the identity matrix is not in it. The dimension of S0(d) as 
well as 0(d) is d(d-l)/2. The dimension of the Lie algebra o(d) is that of 0(d). 
Indeed, the Lie algebra o(d) is also the Lie algebra of S0(d). The classification 
of Lie subgroups of a simple Lie group is important to our consideration (3). 
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RANDOM GENERATION 

If we take a set of one-parameter groups exp(tX^ ) , . . . ,exp(tX m ) , all the 
finite products of elements from these groups generate an arcwise connected 
subgroup of S0(d). By Yamabe's theorem, it is a Lie subgroup. For m large 
enough, it contains a maximal subgroup and has to be the whole group S0(d). For 
example, S0(3) has no 2-dimensional Lie subgroup and m = 2 will be sufficient. 
Thus up to one-parameter subgroups, question 3. of Sloane is answered. Question 
4. is answered by finding a positive integer n such that every element of S0(d) 
can be expressed as a product of elements selected from the given set of one- 
parameter subgroups and the length is at most n and by determining the minimal n 
over the collection of all such sets of one-parameter groups. Note that n depends 
on the choice of the set of one-parameter groups. 

The first part is answered easily. Let S n be all products of lengths less 
than or equal to n. S n is compact and S0(d) is the union of S n for all positive 
n. By the Baire category theorem, some S m contains an open set whose translates 
cover S0(d). This open cover has a finite subcover and the result is proved. To 
determine the number n for a given set of groups is rather complicated. One 
needs to study the geometry of the (d-l)-sphere on which S0(d) acts and uses 
some mathematics in (3). The minimal number n can be shown to be d(d-l)/2. 

In order to generate random elements, we generate random numbers on the real 
parameters. First, we generate random numbers on the interval £0,lj . By iteration, 
we get the whole real parameter space. The transition from 50(d) to 0(d) is easy. 
The index of 0(d) over S0(d) is two. 

Since a direct product of low dimensional orthogonal groups is a subgroup of 
a higher dimensional one, we may increase the speed of encryption by segmenting 
the signal, applying lower dimensional groups and globally scrambling segments. 
This scheme provides a trap door for the system. 

The advantage of our encryption system is that the set of one-parameter 
groups is fixed once for all as well as the form of the random orthogonal matrix. 
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This constancy is useful to hardwire the box to eliminate the intensive computat- 
ion for generating a random orthogonal matrix. The pseudo-random scheme (11) using 
Hadamard matrices does not seem to generate truly random matrices. It is proved 
that for d greater than or equal to 8, the subgroup 6 generated by the set S is 
topologically dense in 0(d), where S is a certain set of matrices (11). For d = 8, 

the cardinality of S is 4954521600. For d = 48, the cardinality becomes 1.1765... 
146 

times 10 . We like to point out that the length of a finite product in the 
topological closure may have to be extremely large. 

Finally, we may introduce other trap doors to our system to increase the 
speed of encryption, but our opponent still need to decrypt the signal randomly. 
One may use pseudo-random number generators, partial products of one-parameter 
subgroups or other structural constraints of Lie groups. The structure of Lie 
groups is very elegant and simple on one hand as we have seen above. On the 
other hand, extremely hairy situation may occur. For instance, we can embed 
a free group of two generators in a compact Lie group. Then this subset contains 
a free subgroup of infinitely many generators. Anyway, I agree with G. R. 
Blakley (2) that group theory offers a lot of opportunity for crypto! ogists to 
explore . 
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INTRODUCTION 

You can do a lot with a book, besides read it! In fact, we know 
that by 1526 — some 70 years after Gutenberg printed his first Bible — at 
least one of our forebears, Jacobus Silvestri, was thinking of how a 
book might be used for cryptographic purposes. Silvestri wrote of a 
sort of code book, or dictionary, which he recommended as a means to 
encipher written communications. From Silvestri, we can trace the 
development of book ciphers over a period of at least 400 years. 

Book ciphers can be defined as any means of concealment in which a 
book, or existing text, is used as a basis for a cipher, from the simple 
and ridiculous to the complex and secure. They may include such 
oddities as Centos, in which words taken from the text are rearranged to 
form a different story; acrostics, which are built into a text and are 
extracted according to various rules to form a hidden meaning, and 
anagrams, in which the letters of a text are rearranged to form another 
text. The chief object of this paper is to demonstrate some ways in 
which book ciphers have been used for secure communications. 

The simplest, and least secure method, is to take a dictionary and 
use the numbers of the page, column and line on which the desired word 
is found. This is equivalent to a one-part code in which both the 
numbers and the words run in their usual order. With such a simple 
method the approximate length of the dictionary and the location of 
particular initial letters in the dictionary can soon be ascertained. 

Words may be cut from a text such as a newspaper or magazine and 
rearranged in Cento fashion to form a desired message. Handwriting and 
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other clues as to the origin of the message are concealed. 1 One of the 
oldest methods, used even by the ancient Greeks, makes use of tiny dots 
or pinpricks placed under the words or letters of a book to spell out a 
desired message. 2 The text is then sent to the recipient. The most 
effective of the book ciphers is the running key cipher where the cipher 
key is formed by the text of the book itself, which never repeats. As 
long as the key is used only once, the system is quite effective and 
reaches perfect security when the text used is random. 

Centos are not practical for secret communication but are more 
likely to represent the recreational activities of medieval monks, with 
such productions as the Life of Christ made up from lines extracted from 
the Homeric poems or Virgil. 3 

Another use of texts which is more recreational than cryptographic 
is the formation of acrostics, where the secret information is 
concealed, frequently by the use of initial letters in a specially 
prepared text. The Hypnerotomach i a Poliphili. where a Dominican monk 
confesses his love for one Polia.* and certain of the poems of Edgar 
Allan Poe are good examples.* 

Anagrams, which use the letters of one text to form a secret 
message were frequently used by 17th century scientists to conceal and 
establish priority of discoveries. Unfortunately, it is often possible 
to anagram several perfectly good plain texts from a particular 
collection of letters, as witness the several thousand anagrams made up 
from the angelic salutation "Ave Maria...."* An anagram can be 
considered as an unkeyed transposition cipher and is worthless for the 
purposes to which it was put by Galileo. Huygens, and others. 7 Oddly, 
anagramming is often used as a last resort, especially by the 
unskilled, to unscramble impossible cryptograms even when there is no 
logical basis whatsoever for doing so. 

THE SIXTEENTH CENTURY 

A rather impractical method of book cipher was suggested by Blaise 
de Vigener? in 1586, which consists of placing a transparent sheet over 
the pages of a book and underlining the words you wish to use on the 
transparency. When a copy is sent to the receiver, he can place it over 
his copy of the book and see which words have been marked. 8 (This is 
really the equivalent of making a simple grill by cutting holes in a 
sheet of paper and sending it to the receiver to fit over a page.') But 
the chances of finding the desired words for a message in a page or so of 
print is very slim. 
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Vigenere also describes the book cipher method which is probably 
the one most commonly used — that in which a letter is indicated by using 
numbers to show page, line, and location of the letter within the 
line. 10 This obviously takes a good many figures to encipher a single 
letter. He feels that such a cipher would be impossible to break 
without the key, but that, nevertheless, it is slow and tiresome to use 
and subject to error. He ascribes the method to Leone Battista Alberti 
of Florence (d. 1472) and quotes Alberti as saying that the method was 
"worthy of an emperor or a king." However, this is apparently based on 
a mistranslation. In actuality Alberti was referring to his own 
invention of the disk cipher and a more correct translation of the 
passage in Vigenere would be "It is sufficient to have mentioned it (the 
book cipher) in passing, because I have seen some who prize it very 
highly, just as a certain Leone Alberti of Florence prizes his own 
cipher (the disk cipher), 'worthy,' he says, 'of an emperor or 
k ing . ' nl 1 

The first actual description of a true book cipher that the 
authors were able to discover is that of Jacobus Silvestri in 1526 . 1 2 
Silvestri writes of a sort of code book, or dictionary, with root words 
in multiple columns. A unique symbol is associated with each column and 
row, and additional symbols are available for grammatical inflections. 
This is really an early form of an artificial language. Some current 
investigators are of the opinion that the famous Voynich manuscript may 
be composed in a form of artificial language. 13 '* The Voynich 
Manuscript is often referred to as the "most mysterious manuscript in 
the world." Even its authorship is a puzzle. It has been attributed by 
some to Roger Bacon in the 13th century and has been thought to contain 
early records of scientific discoveries. In actuality, not even its 
date of origin or the language it is written in has ever been 
satisfactorily established. 

Another early practitioner of the book cipher was the famous 
mathematician Girolamo Cardano, writing in the 1550's, whose 
impractical method was to find the words he wanted in a text and then 
write and send the words before or after the desired ones, altering them 
to make connected sense and adding, if necessary, extra words in 
parentheses. It is easy to imagine the recipient of such a cipher 
searching through his copy of the book which was used looking for the 
words before and after those in the cipher. Charles J. Mendelsohn 
charitably says "Other ways of communicating with the aid of two copies 
of the same book have been devised, but this one has never come into 
f avor . "' 5 
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A similar method of using a book was proposed by Giovanni Battista 
Porta in 1563, lb but by 1586 Vigenere was proposing several ways of 
using a book such as the oiled-paper transparency already referred to 
and the commonly used method of using numbers for page, line, and 
location of the letter within the line, but also of disguising the 
cipher as an astronomical table. The signs of the zodiac were used to 
indicate the page, the numbers in the degree column to indicate the 
line, and the numbers in the minute column to indicate the individual 
letter. As he says, a mathematician would be suspicious if he checked 
the numbers closely. 17 

An aberration in the story of book ciphers is the famous biliteral 
cipher of Francis Bacon 18 , which has caused so much error and confusion 
in the Bacon-Shakespeare authorship question. With a biliteral cipher, 
the text of a book is printed in two fonts, an A-font and a B-font, and 
the secret message is encoded in 5-letter groups such that aaaaa=A, 
aaaab=B> aaaba=C. etc. Bacon may indeed be the first to have employed a 
binary numbering system. It is a perfectly legitimate cipher, but 
depending as it does on often questionable differences in type fonts, 
has frequently been misused or misunderstood. The Great Cryptogram of 
Ignatius Donnelly 1 ', intended to expose Francis Bacon's Cipher in the 
Shakespeare plays, was nothing more than an elaborate cipher 
unwittingly constructed in reverse by Donnelly that allowed him to 
recover a desired plain text. The vivid imaginings of Elizabeth Wells 
Gallup come to mind also. 20 

THE SEVENTEENTH CENTURY 

The 17th century is marked by the often naive efforts of 
scientists to protect their claims to priority in discoveries by 
concealing them in anagrams. Huygens and Galileo furnish good 
examples. They didn't realize that an anagram is nothing more than an 
unkeyed transposition cipher containing many legitimate solutions. 
Galileo's discovery of the phases of the planet Venus "Cynthiae figuras 
aemulatur mater amorum" (The mother of love (Venus) imitates the phases 
of Cynthia (the moon)) was concealed in the anagram "Haec immatura a me 
jam frustra leguntur o.y. "(These unripe things are now read by me in 
vain o.y.). 21 

THE EIGHTEENTH CENTURY 

By the 18th century Christian Breithaupt writes of using numbers 
for the page and line in which the desired letter occurs first. But he 
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felt the method was not secure, since a clever investigator might find 
out what key book had been used. 22 Moreover, a great deal of searching 
might have to be done to find the desired letter as the initial letter 
of a line. Nevertheless, he says the method has become very common and 
is known to wanderers and beggars. 

Later in the century Philip Thicknesse writes of a method of 
numbering the pages, lines, and words of a text. 21 He says that it is 
"scarce possible to be disclosed without the key." But searching 
through many pages to find a desired word would make this a very slow 
system for practical use. 

With the coming of the American Revolution a number of different 
and improved book ciphers made their appearance. Numbering schemes 
were adopted that permitted the enciphering of individual letters. 
This made them somewhat easier to use and more precise. An early 
example of this sort was sent to Benjamin Franklin in Paris on 10 June 
1776 by Barbeu-Dubourg , the translator of Franklin's works. 2 * 

Barbeu-Dubour g proposed numbering each letter of a key text, whose 
source has recently been found. With the assistance of Dr. Eric Gans, 
Chairman of the French Department, University of California at Los 
Angeles, Dr. Leighton was able to extend the Barbeu-Dubourg key 
somewhat. As printed in the Franklin Papers (Vol. 22, p. 470) the short 
example of plain and cipher text was: 

3 2 19 5 23 16 12 44 53 10 51 4 61 36 17 6 24 71 1 
MA FEMME ET DEUX FILLES 

42 28 37 33 82 54 11 9 8 47 59 88 13 69 31 92 72 34 56 73 
V 0 U S 

6 94 4 20 40 100 68 48 

from which the fragmentary key: 

1 2 3 4 5 6 7 8 9 10 11 1 2 1 3 1 4 1 5 1 6 1 7 18 1 9 

SAMUEL D E MI F 

was derived. Dr. Gans suggested completing the plain text phrase "Ma 
femme et deux filles" with the words "embrassent de tout leur etre" to 
form the greeting "My wife and two daughters embrace you with all their 
being." This extends the key to: 

SAMUE L_ARDBEN M I _ F R ML 

plus other scattered letters and indicates that the key begins wilh the 
names Samuel Ward and Benjamin Franklin (with an M mistakenly used for 
K) and suggests that the key was made up of names taken from the 
membership of the Secret Committee of the Continental Congress, which 
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was obviously in touch with Barbeu-Dubourg . (The Secret Committee was 
the predecessor of the present day State Department.) 

Another of Franklin's correspondents was C.W.F. Dumas, who used a 
similar method of cipher. 25 By carefully following clues in Dumas* 
letters. Dr. Maty as determined that the book Droit des Gens was used as 
the key. 2 * The key was mentioned subsequently in the Frank I i n Papers , 
indicating that it was found by at least one other person as well. 27 

One of the leading British generals in the Revolution! Frederick 
Haldimandp Governor of Canada, used a book cipher whose key was 
discovered some years ago "by an officer to whom Wm. F. Friedman thead 

of the U.S. Army cr yp tana 1 y t i c effort before and during WWII) was 
indebted." 28 It turned out to be the title page of a British Army List, 
a small book sure to be in the hands of every officer. 2 ' Further 
analyzing the problem, Dr. Leighton was recently able to extend this 
solution by finding the system which governed the associated code list. 
In his enciphered correspondence Haldimand was using numbers of the 
form 10-19 to stand for complete words. By studying the numbers and 
associated words found in some examples of Haldimand's deciphered 
messages, 30 Dr. Leighton was able to determine that the second part of 
the number stood for the letter which began the word and the first part 
indicated its position in the code list under that letter. Thus the 
word "there", represented by number 10-19. is the 10th word in the 19th 
sublist (of words all beginning with the letter "T"). Enough numbers 
and words have been analyzed to suggest that the code list had forty to 
fifty words per sublist. 

Benedict Arnold tried to use Blackstone's Commentaries as a key 
book, but found it so slow and cumbersome that he and Major Andre soon 
switched to Bailey's Dictionary , 21st edition, 1770, using a system 
based on page, column, and line numbers with a plus one displacement. 
Thus, "Zoroaster" became 928.2.2 not 927.1.1. If they had switched key 
books earlier, West Point might have been lost to the British. Two 
other famous British generals, Cornwallis and Clinton, in 1781, based a 
code on the 1777 edition of Entick's Dictionary , while Aaron Burr, in 
1B05, used a similar method based on the 1800 edition of the same 
book . 3 1 

THE NINETEENTH CENTURY 

The first commercial venture to bring cryptography to the 
fingertips of most Americans occurred in 1805 with the publication of a 
small dictionary "to enable any two persons to maintain a 
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correspondence, with a secrecy, which is impossible for any other 
person to discover." 32 A short list of directions for using the 
dictionary and numbering the words in a pair of books was provided. But 
there is nothing to show that this dictionary code was well-received, 
perhaps indicating that it was published more as a marketing ploy, 
since two books were required to make it work. 

Kluber's Kr yptocrraph i k , published in 1809, is the most complete, 
useful, and possibly most influential of the early how-to books on 
c r ypto logy . 3 3 He gives his highest recommendation to book ciphers as 
being extremely secure. Provided also are instructions showing how 
words, syllables, and individual letters can be enciphered differently 
each time they occur. For example, with a key text where figures 3 and 
61 stand for "also" and "sich", the cipher 3,61. .^j, denotes the plain 
text "ach", that is, the first letter of "also" and the third and fourth 
letters of "sich." 3 * (Even in this simple example the letter "s" could 
be enciphered in two ways using 61. or 3.._j_) 

A cipher from about 1810 found in the Thurn und Taxis archives in 
Germany, by Dr. Erich Huttenhain, uses page, line, and letter 
numbers. 35 He was able to recover a few words of the key, but has not yet 
found the key book. 

The most sought after solution to a book cipher is that of the 
Beale ciphers, alleged to contain instructions to the Beale Treasure, 
supposedly buried in Virgina about the 1820s. 3 * Of the three ciphers, 
the solution to one has been known about 100 years. It is based on 
numbering each word in the Declaration of Independence (When 1 in 2 the 
3 course 4 ....) and then using only the initial letters of the words: 
1=W, 2 = 1, 3 = T, 4 = C, etc. Despite the best efforts of many, including 
the Beale Cypher Society, no key document or book breaking the other two 
ciphers has been found. 

Better luck has been achieved with the book ciphers of Nicholas 
Trist, whose unauthorized negotiations with Mexico ended the Mexican 
War in 1847 and greatly expanded U.S. territory. While in Mexico, he 
found it necessary to devise two ciphers to permit secure communication 
with his superiors in Washington. One was based on numbering each 
letter of a passage; the other on a triple coordinate system in which 
individual letters were designated by numbers corresponding to the 
page, line, and position of the letter within the line. He described 
the key book circuitously in letters to James Buchanan, the Secretary 
of State, later to become President. In a model of scientific and 
literary detections, described in a recent issue of Cryptologia, Dr. 
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Matyas. by carefully delimiting the field of investigation and then 
checking methodically hundreds of books, identified the key book, 
thereby unlocking additional enciphered Trist material. 17 

For anyone who wishes to undertake a similar quest, here is a good 
opportunity. Jefferson Davis, President of the Confederacy, proposed 
using a dictionary as a code book. J8 All that is necessary is to find a 
three column dictionary in which the 20th word in the left column of 
page l<+6 is "Junction." 

The use of a dictionary as a key book was particularly common in 
Victorian times and was frequently proposed in popular magaz i nes . 3 ' 
This really results, as previously said, in a one-part code with page 
numbers increasing from A to Z. Without s up e r-enc i p he r men t of the 
numbers it is soon possible to estimate the size of the dictionary, 
number of columns, and average number of words per column. 

Perhaps the most curious use of a dictionary is in an 
international astronomical cipher code published at Harvard College 
Observatory in 1881.*° Here we have a reverse dictionary code in which 
words from a particular edition of a dictionary are used to represent 
numbers. As an example, in this astromonical cipher, the first word 
always represents the day of the year and the time of day; the second 
word indicates the "distance of perihelion from node" and the third 
word stands for the "longitude of node." The message "Customably 
digitated butternut" is deciphered in this way: On page 136 the 73rd 
word "customably" = the 136th day of the year (16th of May), 73 is the 
time of day expressed decimally. "Digitated" the 8th word on page 150 = 
150°8'. the distance of perihelion from node, and "butternut" the 28th 
word on page 91 represents 9 1 0 2 8 " . the longitude of node. 

Sherlock Holmes, never unaware of current trends, used a book 
cipher based on a non-existent edition of Whitaker's Almanac in The 
Valley of Fear .* 1 His creator, Sir Arthur Conan Doyle, sent messages to 
British POWs in Germany in World War I by inconspicuous pinpricks under 
desired letters, a method already described.* 2 

THE TWENTIETH CENTURY 

The outstanding achievement in solving a book cipher must go to 
William F. Friedman, who c r y p t a na 1 y zed a Hindu book cipher in World War 
I. He did so without knowledge of the key book, although the book was 
later identified.* 3 

Herbert 0. Yardley, author of The American Black Chamber , worked 
in China shortly before our entry into World War II. Some of his 
achievements are told in his recently published The Ch i nese Black 
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Chamber , including the use of a book as a key to encipher messages in 
the Chinese Telegraph Code (Ming Code).** After receiving a message, 
which began with the 5-letter group EHEER , he theorized that the 
letters might indicate message numbers and date. Thus, he equated 
EHEER = 10112 = message 101 of the 12th. A similar equivalency was made 
on successive days, which allowed him, after putting the letters in 
normal order, to recover parts of three words: 

0 12 3 4 
HER 
L I G H 
G R IN 

Investigation revealed that the words came from pages 17, 18, and 19 of 
Pearl Buck's The Good Earth . 

Many of the systems using books result in cipher messages which 
are much longer than the original plain text. A way to avoid this is the 
running key, where a text from a book is combined in one of many 
possible ways with the desired plain text to produce a cipher text of 
the same length. Robert Graves, in his it Claud i us (a fictional work), 
describes a running key cipher in which the key is the first hundred 
lines of Homer's 1 1 i ad ■ * 5 Each letter in the cipher is represented by 
the number of letters in the alphabet (ABC...Z) between it and the 
corresponding letter in Homer. Suppose the Iliad began with the word 
"Achilles," then the recipient of the cipher 10 6 4 3 would count 10 
letters from A, 6 from C, 4 from H and 3 from I and would find the plain 
text KILL: 



ABCDEFGHIJKLMNOPQRSTUVWXYZ 
10 A---------K 

6 C ----- I 

4 H - - - L 
3 I L 

Another common way of using a running key is illustrated: 



PIHHENINT 
KITAKEOFF 
CIXTGRGSM 
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where P = plain text, K = Key, and C = Cipher text. When two standard 
alphabets are slid against each other with the "T" of the second 
alphabet aligned under the "W" of the first alphabet, in this way 

ABCDEFGHIKLMNOPQRSTUV | W | XYZABCDEFGHI J . ; . . 
ABCDEFGHIKIMNOPQRS I T I UVWXYZ 

then the cipher "X" is the letter in the second alphabet aligned under 
the letter "A" of the first alphabet, assuming that the first alphabet 
is continuous. 

William F. Friedman, who broke the Japanese diplomatic cipher used 
in World War II, was the first person known to the authors to 
systematically solve running key ciphers.** His basic approach was to 
assume that both the key and the plain text were intelligible 
sequences. Once started, an extension of the key automatically extends 
the plain text and vice versa. The example above can illustrate the 
principle. If the first two words "When" (plaintext) and "Take" (key) 
are known, the assumption of the word "in" (plain text) would 
automatically give "of" for the key. Completion of the word to "off" 
would give "t" as the beginning of the next word in the plain text 
suggesting "the". Thus the key and plain text can be worked against 
each other to extend both. 

If the key is not intelligible, but random (e.g. using a book of 
random numbers or letters), then one has a completely unbreakable 
one-time system. But no part of the key can be used more than once, so 
that the amount of keying material needed must be equal to the 
anticipated amount of plain text to be communicated, which could be 
substantial. A code book of random numbers or letters is not easily 
hidden among the books of an ordinary library, so that it may be 
difficult to maintain the secrecy of the keying material without 
drawing undue attention to it. An example of a one-time system is found 
in one of Che Guevara's worksheets, which was discovered after his 
death in 1967. The worksheet is in the following form: 

P 72 8 32 34 8 
K 34 6 51 42 1 



C 06 4 83 76 9 

The plain line (P) represents a simple numerical substitution of the 
plain text LECHE (i .e. Fidel Castro). The key (K) is a stream of random 
numbers. The cipher text (C) is produced by non-carrying addition.*' 
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CONCLUSION 



We have traced the origin and development of book ciphers over a 
period of at least 400 years and seen a few of the ways in which a book 
may be used for secure communications. The Beale ciphers are excellent 
proof that sometimes book ciphers are very secure indeed! 
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ABSTRACT 

Since Crypto 83 we have had considerably more experience in factor- 
ing large integers. Implementation of various modifications to the 
quadratic sieve algorith have enabled the factorization of hard 70- 
digit numbers in times comparable to 50 digits one year ago. These 
modifications include: 

1) Subsequences with large divisors (Special q's). 

2) Multipliers to improve quadratic properties. 

3) Increased size of prime base using segmented Gaussian 
Elimination . 

1) Optimization of the code with respect to Cray hardware. 
Using this code in its various stages of development the 10 most 
wanted numbers from the Cunningham Project have been factored. 
Details will be published elsewhere. 
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R. C. Fairfield, A. Matusevich, and J. Plany 
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Morristown, N.J. 07960 

ABSTRACT 

This paper describes an LSI digital encryption processor (DEP) for 
data ciphering. The DEP combines a fast hardware implementation of 
the Data Encryption Standard (DES) published by the National Bureau of 
Standards (NBS) with a set of multiplexers and registers under the 
control of a user programmed sequencer. This architecture enables the 
user to program any of the DES modes of operation published by NBS. 
In addition, multiple ciphering operations and multiplexed ciphering 
operations using up to four different keys may be programmed and 
internally executed without any external hardware. 

The DEP is designed as a standard microprocessor peripheral. This 
LSI device should reduce the current cost and simplify the process of 
encrypting digital data to a point where it is feasible to include a 
ciphering function in modems, terminals, and work stations. The 
ability to internally program cascaded ciphers should substantially 
increase the security of the DES algorithm and hence, the life of the 
encryption equipment. 

INTRODUCTION 

In January 1977 the National Bureau of Standards (NBS) adopted an 
IBM developed block cipher called the Data Encryption Standard (DES) 
[1]. Approximately four years later, in December 1980, the NBS 
published a follow-up document titled "DES Modes of Operation" [2] 
which describes four DES operating modes and some of their 
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characteristics. This paper describes a new LSI device called the 
Digital Encryption Processor (DEP) developed by AT&T Bell Laboratories 
and manufactured by AT&T Technologies. The DEP has been validated by 
the NBS as complying with the DES . Other devices have also been 
certified. This, however, is the first LSI device to incorporate all 
of the standard DES modes of operation into a single integrated 
circuit and provide the user with the flexibility to program unique or 
custom ciphering functions. 

Unless provisions are made now to effectively lengthen the key 
space of current DES enciphering modes, the encryption equipment life 
may be shortened by integrated circuit technology advances. To date, 
the best known attack on the DES algorithm is a brute force search of 
the key space under a known plaintext attack. Today' s fastest DES 
integrated circuits can perform a maximum of 250K ciphering 
operations/ second . The operating speed may be increased by a factor 
of 12 by shrinking the design rules. Further performance improvements 
may be achieved by pipelining the DES algorithm (factor of 16). 
Pipelining would require sixteen sets of: (1) 64 bit L and R 
registers; (2) 56 bit C and D registers; (3) 32 "exclusive-or " 
gates ; (4) 48 "exclusive-or" gates; and (5) 8 s-boxes (2044 bits 
of ROM) . This would increase the integrated circuit transistor count 
by approximately a factor of 16. Certainly, this would be a huge 
integrated circuit even by todays standards. Despite these speed 
improvements, an array of devices would still be required to search 
the key space in a reasonable amount of time. Therefore, each device 
should be capable of independent operation. This would require each 
integrated circuit to have an independent controller, a comparator 
function to flag matching ciphertext, and a read/write key counter 
register. Then, using an array of five-hundred devices each 
independently searching a different part of the key space, all 
possible keys could be checked in one month. This is a distressing 
result for a DES device or board manufacturer who would like to see a 
product in the field for a period of years. For this reason the DEP 
device may be programmed to internally perform cascaded ciphering 
operations using up to four different keys. A cascade of k ciphers 
may not be equivalent to increasing the key size (56 bits) by a factor 
of k since a time-memory tradeoff may be made; however, it is 
certainly far more work than searching the key space of a single 
cipher. See reference [3]. S. Even and 0. Goldreich have shown that 
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a cascade of two DES ' s can be cracked in time 2**71 and space 2**41 
[4]. Work increases on this order would extend the practical life of 
the DES for years. It may also be possible to rearrange the feedback 
in a cascaded cipher to prevent a meet in the middle known plaintext 
attack. 

The DEP combines a fast hardware implementation of the DES with a 
sixty-four bit input shift register, a sixty- four bit output shift 
register, a set of multiplexers necessary to configure the operating 
modes, a data latch, and four sets of key and initial value registers. 
Control over this hardware is provided by a user programmed sequencer. 
This sequencer provides the flexibility necessary to program any of 
the four DES operating modes and to tailor the encryption function to 
the system requirements. Additionally, the four different key and 
initial value registers may be used to program multiplexed ciphering 
operations or to provide for enhanced security requirements by 
programming multiple ciphering operations using different keys. 

The DEP is designed as a microprocessor peripheral and is packaged 
in a standard forty pin dual-in-line package. Figure 1 shows a block 
diagram of the device. There are two separate parallel bidirectional 
eight bit ports, two separate serial bidirectional data ports and a 
serial key port. All of these ports may be read or written 
asynchronously with respect to the clock input. The separate data 
ports are provided to increase data throughput and security by 
allowing separate plaintext and ciphertext buses. There are seven 
possible data port configurations. The serial key input port would 
typically be used to load a key from external circuitry, say a ROM, 
that the user keeps locked up when not in use. Microprocessor polled 
or interrupt systems may be configured, since output flags may be read 
from the data buses or on independent output pins. Maximum data rate 
for the device in any of the standard operating modes is as follows: 

Input Clock (Tc) 2.5 MHz (worst case) 4.5 MHz (nominal) 

-40 to 80 deg C 

Instruction Period 2*Tc 

Ciphering op/sec 73. 5K (worst case) 132K (nominal) 

All four NBS defined operating modes may be executed in a minimum of 
17 instructions. If the entire DES output block (64 bits) is used for 
the ciphering operation, the worst case data throughput is 0.59 
megabytes per second. 

The internal user programmed sequencer enables the device to 
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accommodate special system requirements and reduces host processor 
overhead. The DEP should reduce the cost and simplify the process of 
encrypting digital data to a point where it is possible to include a 
ciphering function in modems, terminals and work stations. In 
addition, the ability to internally program cascaded ciphers should 
substantially increase the security of the DES algorithm. This paper 
describes the DEP architecture, the micro-code instruction set, and 
then gives some unique applications. 

ARCHITECTURE 

The DEP architecture may be divided into two sections: the 
ciphering hardware and the user programmed sequencer. 

THE CIPHERING HARDWARE 

The DES specifies a cryptographic algorithm which is a nonlinear 
sixty- four bit block cipher using a fifty-six bit key. The components 
of the algorithm are simple and individually weak. They consist of 
permutations, combinations ( "exclusive-or" sums) of the data and 
internal key bits, and nonlinear substitutions. These weak elements 
are combined and the data are encrypted in sixteen iterations through 
them. Sixteen 48 bit internal keys are generated by rotating and 
permuting the 56 bit DES input key. Although NBS has published the 
DES [1], no cryptographic analysis or justification for the specific 
elements in the algorithm has been published. The published 
literature does, however, provide some insight into the inner workings 
of the algorithm [5] and [6]. The key input to the DEP device is a 64 
bit number with the least significant bit in each byte, or every 
eighth bit in a serial key load, a parity bit. Odd parity is checked 
and a flag is set if parity fails. Device operation is not inhibited 
by a parity failure. 

Figure 2 shows a block diagram of the DEP ciphering hardware, with 
the DES key schedule and enciphering circuitry enclosed in dotted 
lines. The algorithm specified in the DES was designed to be 
implemented in hardware (not software). There are several permutation 
matrices specified in the standard and the penalty for a software 
implementation is an inordinate amount of time spent shuffling or 
permuting bits. This operation has no overhead in hardware, since the 
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permutation matrix is simply a crisscross of wires. The DES section 
of the enciphering circuitry consists of: a 2:1 multiplexer with 64 
sections; two 32 bit L and R registers; 32 "exclusive-or" gates; and 
a cipher function, F, of the internal key and R register. Figure 3 
illustrates the F function. The eight s-boxes shown are the nonlinear 
algorithm elements and are implemented as eight ROMs, each consisting 
of 64, four bit words (six address lines and four outputs). 
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FIGURE 3. F FUNCTION 



Since the DES algorithm is a block cipher, there is a one to one 
mapping of the input block to the output block. To a cryptographer, 
it is disconcerting to know that a recurring plaintext block will 
duplicate the earlier ciphertext block. This leaves the crypto system 
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vulnerable to traffic analysis and the possibility of insertion or 
deletion of messages by an active intruder. Hence, the NBS published 
the "DES modes of operation" [2]. Four modes are defined: 

1. Electronic Codebook ( ECB ) is a straightforward implementation of 
the DES algorithm. 

2. Cipher Block Chaining (CBC) . To begin the operation, an initial 
value is added modulo 2 to the first plaintext block to form the 
DES input block. The DES output is the ciphertext. This output 
is fed back and added modulo 2 to the next plaintext block 
forming the new DES input block. CBC produces a ciphertext 
dependent on previous plaintext blocks. 

3. K-bit Cipher Feedback ( CFB ) . Starting with an initial value as 
the DES input block, K plaintext input bits are added modulo 2 
to the K most significant bits in the DES output block. The 
result is the K-bit ciphertext which is fed back and shifted 
into the K least significant bits of the DES input block to form 
the next DES input block. 

4. Output Feedback (OFB) . Starting with an initial value, the DES 
is operated as a pseudo random bit stream generator (the DES 
output is fed back as the input) . Ciphertext is produced by 
adding the plaintext to the random bit stream modulo 2 . 

Figure 2 shows the sets of multiplexers, the "exclusive-or " gates, 
and the data latch necessary to configure the DES operating modes. 
MUX 6 and the latch register are used to shift the input data block 
for the CFB mode. MUX 13 is used to select the input to initial value 
registers 0 through 3. The initial value registers maybe used to 
hold temporary products in a multiple encryption operation, or to 
store the next DES input block for the current ciphering operation, 
before jumping to a different ciphering operation. The input and 
output shift register circuitry is clocked by the rising edge of the 
decoded data write and read strobes applied to the chip. When the 
input shift register is filled, an ISRFULL flag is set and the DEP can 
cipher the new data and clear the flag. When the output shift 
register is empty, an OSREMPTY flag is set and the DEP can reload this 
register and clear the flag. These two flags may be read by the user 
on either of the two eight bit data ports or on separate output pins . 
This structure allows the external read and write strobes to be 
independent of the DEP clock. To achieve maximum data throughput a 
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user would have to complete the reading and writing of data during the 
DEP ciphering operation. 

THE USER PROGRAMMED SEQUENCER 

The two eight bit bidirectional data ports, master and slave, may 
be thought of as plaintext and ciphertext ports, respectively. All 
control registers must be written through the master port. Other than 
data, which may be read or written for ciphering, only three flag bits 
of the status register may be read from the slave port. See Tables 1 
and 2. Control over the ciphering hardware is provided by the user 
programmed sequencer. A block diagram is shown in Figure 4. The 
sequencer executes a 22 bit instruction every two clock cycles. 
Depending on the address in the program counter, these instructions 
may come from either a RAM or ROM program memory. 

The ROM contains three programs and one subroutine. The subroutine 
executes the DES algorithm using whatever key is currently in the C 
and D registers (Key Schedule, Figure 2) to encipher whatever data is 
sitting at the input to the initial permutation matrix (labeled IP, 
DES Enciphering circuitry) . There are four pairs of key and initial 
value registers that may be externally loaded. These registers are 
loaded by writing the address (0 through 3) of the key/ initial value 
pair to an internal status register. Then the appropriate ROM program 
is executed. The three programs are described (ROM Code, Table 3): 

1. A load initial value program waits for an eight byte number to 
be written to the master port. When the ISRFULL flag is set, 
this number is clocked into the initial value register addressed 
by the status register. 

2. A load key program waits for an eight byte number to be written 
to the master port. When the ISRFULL flag is set, this number 
is clocked into the key register addressed by the status 
register. Odd parity of each byte is checked. The least 
significant bit in each byte is the parity bit. 

3. A serial load key program waits for a sixty-four bit number to 
be clocked into the serial key data port using the serial key 
clock. When this program is executed, a hardware key request 
pin goes active. When the key is loaded into the input shift 
register, the sequencer clocks the number into the key register 
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TABLE 1 . MASTER PORT REGISTERS (READ/WRITE) 
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TABLE 2. SLAVE PORT REGISTERS (READ/WRITE) 
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* These are self contained programs. They may not be called 

as subroutines from another program. 
** B6 is an unnecessary mnemonic in this code. 



PROGRAM ROM CODE 



TABLE 3 
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addressed by the status register. The key request flag is then 
cleared. Odd parity of every eight bits is checked. Each 
eighth bit input is the parity bit. 

At the end of all three of these programs the sequencer goes into 
an endless loop (wait state) until a new program is executed. 

The RAM contains the ciphering program and must be written by the 
user prior to any ciphering operation. The RAM may hold up to 
thirty-two instructions, more than enough to program both encrypt and 
decrypt of any standard DES mode. The user loads the RAM through the 
eight bit master port. After first writing the RAM address (20H to 
3fH) to the mode control register, the user writes three bytes for 
each 22 bit program instruction. The two most significant bits, in 
one of the bytes, are not used. The RAM, or the ROM (address 00H to 
11H) , may be read in a similar manner. 

To begin ciphering or the execution of a program located in either 
RAM or ROM, the user writes the program memory starting address to the 
mode control register. Two clock cycles later this address is loaded 
into the program counter (Figure 4) and execution begins. Data flow 
through the ports and the associated assignments of the master and 
slave flags are controlled by the port configuration register; see 
Table 4. Normally this register would be written before executing a 
ciphering program. 



PORT CONFIG 




HEX CODE 




OUTPUT PIN/FLAG 
ASSOCIATIONS 


MP — »-SP 


04 OR 84 


MFLG1 ~ - ISRFULL 
SFLG ~ - OSREMPTY 


MP -«- - SP 


11 OR 91 




MFLG1 ~ - OSREMPTY 
SFLG ~- ISRFULL 


--- MP 




01 OR 81 




MFLG1 - - OSREMPTY 
MFLG2 ~ - ISRFULL 


MPSD--»-SPSD 




28 OR A8 




MFLG1 - • ISRFULL 
SFLG - - OSREMPTY 


MPSP-« — SPSO 


62 OR E2 




MFLG1~- OSREMPTY 
SFLG — • ISRFULL 


MP — «-SPSD 


08 OR 88 




MFLG1 ~ - ISRFULL 
SFLG ~ • ISRFULL 


MP-« SPSO 


61 OR E1 




MFLG ~ • OSREMPTY 
SFLG — - ISRFULL 



NOTE: THE MOST SIGNIFICANT BIT IN THE HEX CODE FOR THE PORT CONFIGURA- 
TION IS AN INPUT FLAG. IT IS TESTED BY THE MICROCODE MNEMONIC LT7. 
THIS BIT MAY BE USED AS A GENERAL PURPOSE CONDITIONAL JUMP. 

TABLE 4. PORT CONFIGURATION 
(MASTER PORT ADDRESS = 2) 
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MICRO-CODE INSTRUCTION SET 

Mnemonics, corresponding to actual signal names, were defined for 
the program instruction set. Table 5 defines a 22 bit instruction 
composed of three bytes, Ml, M2, and M3 . 

Bit 4 of M2 controls the interpretation of Ml and the three most 
significant bits in M2 . If bit 4 of M2 is low, the multiplexer select 
lines are latched. In the program convention used, the presence of a 
mnemonic, SI for example, indicates the control line is latched high. 
Conversely, the absence of a multiplexer mnemonic indicates the 
control line is latched low. If bit 4 of M2 is high, the specified 
signal is enabled only for the duration of the instruction period, two 
clock cycles. An enable and the associated clock signal, e.g., LDDES 
and CKDES, must be programmed in the same instruction since none of 
these signals are latched. 

Bits 0 through 3 of M2 are decoded and select one of twelve 
commands. With the exception of RET and CLEAR, all of these commands 
use all or some of the bits in M3 as an argument. The three commands 
SROL, ADD, and IO latch bits of M3 until overwritten, or a subsequent 
CLEAR command is issued. 

A C language* assembler was written to facilitate the development 
of ciphering programs. The output of that assembler is shown in Table 
3 for the ROM code. Whenever bit 4 of M2 is set low, the ciphering 
multiplexers are set-up and the assembler program prints the inputs to 
the DES (DES INPUT), output shift register (OSR INPUT), initial value 
register (IV INPUT), and data latch (LATCH INPUT). This is useful in 
checking that the multiplexer configuration latched is correct. The 
six instruction DES subroutine may then be explained as follows: 

1. The input to the DES initial permutation matrix is clocked into 
the L and R registers (Figure 2). Simultaneously, the key 
schedule C and D registers are clocked or shifted. The 
direction of the shift is dependent on the state of the SHFTR 
signal. SHFTR is set low to encrypt (left shift) and high to 
decrypt . 

2. The first iteration of the DES is clocked into the L and R 
registers and the key schedule C and D registers are again 



* C is a general purpose programming language designed for 
and implemented on the UNIX (registered trademark of 
AT&T Bell Labs) operating system. 
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CLOCK COMMANDS 



MULTIPLEXER SETTINGS 



+4- 



,0 7 



CONDI- 
TIONAL 
INSTRUC- 
TIONS 



'Mil 



CONDITIONAL 
ARGUMENT 



INSTRUCTION FORMAT 



CLOCK COMMANDS (M2-btt 4=1) 



BIT 


MNEMONIC 


DEFINITION 


Ml-7 


LDDES 


Enables the DES enciphering multiplexer to pass the output from MUX1 when high 
and pass the DES output when low. 


-6 


CKDES 


Clocks the DES L and R registers. 


-5 


CKL 


Clocks the latch register 


-4 


SHFT2 


Enables the key schedule circuitry to rotate 2 positions when high, and 1 position 
when law. 


-3 


WKEY 


Write the output from the ISR into the key register currently addressed. 


-2 


LDKEY 


Enables the key schedule circuitry multiplexer to pass the key register output when 
high and pass the key schedule output when low. 


-1 


CKKEY 


Clocks the key schedule C and D registers. 


•0 


CLISRF 


Clears the ISRFULL flag and allows data to be written into ISR. 


M2-7 


CLOSRE 


Clears the OSREMPTY flag and allows data lo be read from the OSR. 


■6 


CKOSR 


Clocks the output from MUX4 into the OSR. 


-5 


WIV 


Writes the output from MUX13 into the initial value register currently addressed. 



MULTIPLEXER SETTINGS (M2-blt 4.0) 



DEFINITION 



Selects input line for MUX1 . 



Select input tines for MUX2. 



B2 A2 



5 0 

0 1 

1 0 
1 1 



5 

1 
2 

UNKNOWN 



Selects input line tor MUX3. 



S3 



Selects input line for MUX4. 



Select input lines tor MUX5. 



S5B S5A 



Select input lines lor MUX6. 



B6 A6 



0 0 

0 1 

1 0 
1 1 



Select input lines tor MUX13. 



B13 A13 



NOTE: The multiplexer settings are all latched. 

TABLE 5. MICRO-CODE INSTRUCTION FORMAT (part 1 of 2 ) 
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CONDITIONAL INSTRUCTIONS 



M2-BIT 


MNEMONIC 




DEFINITION 




3 


2 


1 


0 






0 


o 


o 


o 


LLC 


Loads the loop counter with the least significant nibble in M3 There is 
only one loop courtier. 


0 


0 


0 


1 


ILC 


Decrements Ihe loop counter and jumps to the address in M3 if the loop 
counter is zero. 


0 


0 


1 


0 


SUB 


The current program instruction address is incremented and stored before 
the program jumps to the address specified in M3. Only one level of 
Subroutine call is allowed. 


0 


□ 


1 


1 


RET 


The program jumps to the address stored when the preceding SUB com- 
mand was executed. 


0 


1 


0 


0 


GTO 


The program jumps to the address in M3. 


0 


1 


0 


1 


ISRFT? 


It the ISR is not full, the program jumps to the address specified in M3. 


0 


1 


1 


0 


OSRET? 


It the OSR is not empty, the program lumps to the address specified in 
M3. 


0 


! 


1 


1 


ISRFOSRET? 


If the ISR is full and the OSR is empty, then the program jumps to the 
address specified in M3. 


1 


0 


a 


0 


LT? 


If bit 7 at the port configuration register is set low, the program jumps to 
the address specified in M3. This bit may be used to control the order in 
which the key schedule is invoked. 












BIT 


MNEMONIC 


DEFINITION 


1 


0 


0 




SROL 


M3-0-1 


SHFTH 


Latches a right key schedule rotation. 




1 


M3-0-0 


sum. 


Latches a left key schedule rotation. 




0 




0 


ADO 


M3-0 


INT 


A high latches the internal key/TV address 
bus. A low latcnee the external bus (Status 

Register OA1 , OAO) 












M3-1 


ADOO 


Internal Key/W AD01 ADDO 


KETAV 












M3-2 


ADD1 


address bus. 

0 0 

0 1 

1 0 
1 1 


AOOAESS 

0 
1 
2 
3 


1 


o 






IO 


M3-0 


ACT 


A high latches the ACTIVE flag- 




i 


1 


M3-1 


LDMP 


A high latches the input circuitry to 
receive data from the master port. Over- 
rides the port configuration setting. 












M3-2 


SERIAL 


A high latches the key circuitry for a 
serial key input. 












M3-3 


lBIT- 


A high latches the I/O circuitry to write/ 
read a single bit. If the parallel ports are 
programmed only the most significant bit 
in the byte is used. 












M3-» 


BBIT* 


A high latches the I/O circuitry to 
write/read a serial bits or f parallel byte. 












M3-5 


SISRFOSRE 


A high sets both ISRFULL and OSREMP- 
TY flags active. 


1 


1 


0 


0 


CLEAR 


A high sets ail bits in the latches controlled by SROL, ADD. and IO low. 



* MOTE: If both of these bits are low, the I/O circuitry is set to write/read 64 serial bits or a parallel bytes. The condition 
with both Dtls being high is undefined. 



TABLE 5. MICRO-CODE INSTRUCTION FORMAT (part 2 of 2) 
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shifted one position. A five is loaded into the loop counter. 

3. This statement is executed six times as the next six DES 
iterations are clocked into the L and R registers. 
Simultaneously, the key is shifted two positions six times. 

4. The eighth iteration of the DES is clocked into the L and R 
registers and the key schedule C and D registers are again 
shifted one position. A five is loaded into the loop counter. 

5. This statement is executed six times as the next six DES 
iterations are clocked into the L and R registers. 
Simultaneously, the key is shifted two positions six times. 

6. The fifteenth iteration of the DES is clocked into the L and R 
registers and the key schedule C and D registers are again 
shifted one position. 

At this point the output of the DES enciphering circuitry, the 
inverse initial permutation matrix (IP-1), will have the sixteenth DES 
iteration or the output block. 

A sample of the RAM micro-code for the standard ECB and CBC 
operating modes is given in Table 6. The code for the remaining 
standard operating modes is available and documented. 

APPLICATIONS 

The following applications illustrate the unique capabilities of 
the DEP. In order to perform similar operations with available 
integrated DES devices, considerable processor overhead or multiple 
devices might be required. 

TWO WAY ENCRYPTION APPLICATION 

The first application describes a two way encryption system using 
separate receive and transmit keys. A drop-in box between a terminal 
(or computer) and a modem was built. Clearly, this system requires a 
character oriented protocol . The eight bit cipher feedback mode was 
used. In a typical terminal to computer connection, the number of 
characters transmitted and received are unequal. The ciphering 
operation desired is shown in Figure 5. 

To transmit an encrypted character the number in initial value 
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CODE 

ADDR Ml M2 M3 ASSEMBLER MNEMONICS 



/* ECB ENCRYPT OR DECRYPT 
/* 



20 


1 


c 


0 


B6 CLEAR 










DES INPUT = ISR OSR INPUT = DESOUT 










IV INPUT = ISR LATCH INPUT = ISR 


21 


7 


18 


23 


LDKEY CKKEY CLISRF LT? 100 


22 


2 


19 


1 


CKKEY SROL SHFTR 


23 


0 


15 


23 


:100 ISRFT? 100 


24 


c3 


12 


1 


CLISRF LDDES CKDES CKKEY SUB 01 


25 


0 


17 


28 


ISRFOSRET? 120 


26 


0 


16 


26 


:110 OSRET? 110 


27 


0 


d4 


23 


CLOSRE CKOSR GTO 100 


28 


c3 


d2 


1 


:120 CLISRF CLOSRE CKOSR LDDES CKDES CKKEY SUB 01 


29 


0 


17 


28 


:130 ISRFOSRET? 120 


2a 
/* 


0 


14 


26 


GTO 110 


/* 
/* 


CBC ENCRYPT 




2b 


3 


c 


0 


S5A B6 CLEAR 










DES INPUT = ISR'IV OSR INPUT = DESOUT 










IV INPUT = ISR LATCH INPUT = ISR* IV 


2c 


7 


18 


2e 


LDKEY CKKEY CLISRF LT? 200 


2d 


2 


19 


1 


CKKEY SROL SHFTR 


2e 


0 


15 


2e 


:200 ISRFT? 200 


2£ 


c3 


12 


1 


CLISRF LDDES CKDES CKKEY SUB 01 


30 


13 


4 


29 


:210 S3 S5A B6 GTO 130 



DES INPUT = ISR'DESOUT OSR INPUT = DESOUT 
IV INPUT » ISR LATCH INPUT = ISR^DESOUT 

/* 

/* CBC DECRYPT 
/* 

31 7 lc 0 LDKEY CKKEY CLISRF CLEAR 

32 59 48 34 B2 S3 S4 B6 B13 LT? 250 

DES INPUT = ISR OSR INPUT = IV'DESOUT 
IV INPUT = Qn LATCH INPUT = ISR 



33 


2 


19 


1 


CKKEY SROL SHFTR 




34 


0 


15 


34 


:250 ISRFT? 250 




35 


e3 


12 


1 


CLISRF CKL LDDES CKDES CKKEY SUB 


01 


36 


0 


17 


39 


ISRFOSRET? 230 




37 


0 


16 


37 


:220 OSRET? 220 




38 


0 


f4 


34 


CLOSRE CKOSR WIV GTO 250 




39 


e3 


f2 


1 


:2 30 CLISRF CKL WIV CLOSRE CKOSR 


LDDES CKDES CKKEY SUB 01 


3a 


0 


17 


39 


ISRFOSRET? 230 




3b 


0 


14 


37 


GTO 220 





ASSEMBLER OUTPUT CODE FORMAT 
Example: 31 7 lc 0 

four hex bytes 

31 Memory address to be loaded into the MODE CONTROL REGISTE 
07 Ml byte 
lc M2 byte 
00 M3 byte 

NOTE: User programs must be written between "hex addresses 20 and 
3f hex, inclusive. 



RAM CODE FOR ECB AND CBC OPERATING MODES 



TABLE 6 
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TERMINAL (COMPUTER) 

— Z - 

PLAINTEXT 



56 



IV0 



,64 



DES 



64 " 1 Q N 

^ — *T~ 



DATA 
LATCH 




8 MSB's 



OSR 



TRANSMIT (MODEM) 



CIPHERTEXT 



TERMINAL (COMPUTER) 



PLAINTEXT 



K, ■ 



56 



IV1 



.64 



64 

«• A / 

56 
QN 



S 



1 



DATA 
LATCH 



DES 




8 MSB's 



—r 

8 



RECEIVE (MODEM) 



ISR 



CIPHERTEXT 



TWO WAY ENCRYPTION 
FIGURE 5. 
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register 0 is encrypted using key register 0. As this number is being 
clocked into the DES enciphering hardware, it is also clocked into the 
data latch. When a plaintext character is input, it is added modulo 2 
to the eight most significant bits in the DES output block, DESOUT 
ISR. (The symbol " is used to define the "exclusive-or" operator.) 
This byte of ciphertext output is clocked into the output shift 
register for transmission by the modem. It is also clocked into 
initial value register 0 as the least significant byte. The seven 
other bytes are simply the previous initial value shifted one byte to 
the left. The most significant byte of the previous initial value is 
discarded . 

The receive operation is nearly identical. The number in initial 
value register 1 is encrypted using key register 1. As this number is 
being clocked into the DES enciphering hardware it is also clocked 
into the data latch. When a ciphertext character is input, it is 
added modulo 2 to the eight most significant bits in the DES output 
block. This byte of plaintext output is clocked into the output shift 
register for reception by the local terminal (computer) . The 
ciphertext in the input shift register is clocked into initial value 
register 1 as the least significant byte. The seven other bytes are 
simply the previous initial value shifted one byte to the left. The 
most significant byte of the previous initial value is discarded. 

There are two differences, then, between transmit and receive. One 
difference is the feedback to the initial value register. During 
transmit, ISR * DESOUT is fed back. During receive, only ISR is fed 
back. The second difference is that key/initial value register pair 0 
is used in transmit and pair 1 is used in receive. 

Code for this ciphering mode is shown in Table 7. The statement 
"DES INPUT = Qn<<8 !l ISR'DESOUT" , taken from Table 7, should be read 
as follows: the input to the DES enciphering block equals the data 
latch output (Qn) shifted eight bits to the left and concatenated with 
the eight most significant bits in the "exclusive-or" sum of the input 
shift register and the DES enciphering block output. After loading 
the RAM program memory with the hex data in Table 7, the program start 
address (2bH) is written to the mode control register and execution 
begins. The program will remain in a loop (2cH to 2fH) until the 
input shift register is filled. Depending on the most significant bit 
in the port configuration register, the DEP will either encrypt 
(transmit) using key/ initial value register pair 0 or decrypt 
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(receive) using key/initial value register pair 1. The mnemonic LT? 
is used to test the most significant port bit. A low is used for 
transmit (jump condition) and a high for receive (next instruction). 
The only timing requirement on the input to the DEP, when changing 
from transmit to receive, is that the data byte written be delayed 
from the port register write by three DEP program instructions. This 
guarantees the LT? instruction (2dH) will be executed after the port 
register write and before data ciphering. With a 4 Mhz DEP clock, 
this is 1.5 microseconds. After the data byte is written, the DEP 
program sequencer will detect an input shift register full condition 
and cipher the data. If the previous output data has been read, the 
new cipher byte will be written to the output shift register; the 
next initial value will be stored; and the sequencer will again cycle 
waiting for the input shift register to be filled. If the previous 
output data has not been read, the sequencer will wait (31H) until the 
output shift register is emptied. It will take at most twenty- four 
instructions from the time an input byte is written until the cipher 
text is available to be read. For a 4 Mhz clock, this is twelve 
microseconds . 

In order for two stations to communicate properly, if kO and kl are 
input to key registers 0 and 1 (respectively) of a DEP device at 
station one, then kO and kl must be input to key registers 1 and 0 
(respectively) of the DEP device at station two. The two stations 
need not have the same initial value, since a station will synchronize 
after eight characters have been received. This is a property of the 
eight bit CFB mode. Therefore, to begin a session the two stations 
only have to establish session keys. The protocol shown in Figure 6 
was used to exchange session keys. This protocol does not require 
either station to be a master or slave; both stations perform exactly 
the same operations. A master key is input to key register 2. A 
random number loaded into key register 0 is encrypted in the ECB mode 
under the master key. This ciphertext is then transmitted. The 
received ciphertext is decrypted and loaded into key register 1. 
After these three operations, the session key exchange is complete and 
two way communications may begin. 

Before this system could become a viable encryption product some 
additional work should be done. The error rates over the public 
telephone network combined with the eight byte error extension 
property of the CFB mode results in an unacceptable error rate in the 
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decoded plaintext. The OFB mode does not have the error extension 
property associated with CFB. A single transmission bit error results 
in a single plaintext bit error, however, telephone line noise 
frequently generates characters never legitimately transmitted. In 
the OFB mode or in any other key stream mode this would result in a 
loss of synchronization. This condition would have to be detected and 
initial values re-established, very messy. Since ASCII is a seven bit 
code, programming the DEP for 7 bit CFB, appending parity, buffering 
several bytes, and retransmitting bytes in the event of a parity 
failure would substantially reduce the error rate. In the current 
system a single ECB encryption of the session key is performed. It is 
suggested that a double or even a triple encryption of the session key 
be done since master keys would probably be changed infrequently. 
Some check should be made for transmission errors in exchanging 
session keys. If the wrong session key is used, nothing will be 
decoded in one direction. 

TRIPLE ENCRYPTION APPLICATION 

In the second application, the DEP is programmed for a triple 
encryption. Such a program might be used to increase security in 
applications involving very sensitive or valuable data. The use of 
multiple keys to encrypt the data effectively increases the key space 
an intruder must search to decode the ciphertext. Three separate 
cipher block chaining (CBC) operations are performed on a single DES 
input block. Three different keys and initial values, register pairs 
0, 1 and 2, are used for the ciphering. The data latch is needed in 
the decrypt operation to hold intermediate products. Figure 7 shows 
the ciphering mode and Table 8 lists the code. 

The first instruction in the CBC encrypt code is to clear the input 
shift register so the user may begin loading data. The multiplexers 
are then setup with the input to the DES enciphering circuitry equal 
to the "exclusive-or" sum of the input shift register and initial 
value register. In this same instruction, the address of key/initial 
value register pair 0 is latched. Nothing further happens until the 
input shift register is filled. When that occurs: the first 
ciphering operation is performed; the input shift register is cleared 
so the second block of data may be entered; the DES output is written 
to initial value register 0; and register pair 1 is addressed. Next, 
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the multiplexers are reset so the input to the DES comes from the 
"exclusive-or" sum of the current DES output and initial value 
register 1. The second key (Key register 1) and the new DES block are 
clocked into the DES circuitry. The key is shifted one position to 
the left and the DES subroutine is called. This completes the second 
ciphering iteration. The DES output is written to initial value 
register 1, and register pair 2 is addressed. The last ciphering 
operation is performed. The sequencer waits until the output shift 
register flag is set before clocking that register, clearing the 
output shift register empty flag, and jumping back to the second 
program instruction (21H). 

The decrypt is similar to the encrypt operation with certain 
important exceptions. The keys and initial value register pairs must 
be invoked in reverse order. Similarly, the DES key schedule must be 
reversed. Hence, the instruction CKKEY SROL SHFTR (30H, 36H and 3aH) 
is required. This sets the key schedule circuitry for a right instead 
of a left shift. A third difference is that the data latch holds the 
new initial value while the current one is being used. Consequently, 
the decryption code requires three more statements than the encryption 
code. In decryption, sixty-one program instructions are executed, 
provided there is no waiting for the input shift register to be loaded 
or the output shift register to be emptied. With a 4 Mhz clock, 32. 8K 
ciphering operations per second could be performed. This triple 
encryption takes 3.6 times as long as a single encryption (seventeen 
program instructions), so the additional overhead is only 20%. 

There are many ways to implement cascaded ciphers and to feed back 
data blocks. The one just described suffers from error propagation. 
A single error in the input block to the decryption chain results in a 
50% error rate in the current and the next two output blocks as well 
as a single bit error in the fourth block. At CRYPTO 84 Adi Shamir 
suggested two possible configurations for cascaded ciphers with no 
additional error propagation and no "meet in the middle" known 
plaintext attacks. These are shown in Figure 8. Under a known 
plaintext attack, if the initial value is kept secret, the DES input 
remains unknown for these configurations. The DEP may be easily 
programmed for either of these modes. 
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CODE 

ADDR Ml M2 M3 ASSEMBLER MNEMONICS 

/* CBC ENCRYPT 3 KEYS 
/* 



20 


1 


lc 


0 


CLISRF CLEAR 


21 


3 


6a 


1 


:50 S5A B6 B13 A13 ADD INT 










DES INPUT = ISR IV OSR INPUT = DESOUT 










IV INrUl — U£ibUU I J_iAlL.n IWrUi — loK ±v 


22 


0 


ID 


22 


: bU ISRr If ou 




7 


1 9 
X z. 


r\ 

\j 




24 


0 


3a 


3 


WIV ADD INT ADDO 


25 


53 


6f 


0 


S3 B2 S5A B6 B13 A13 










DES INPUT = IV'DESOUT OSR INPUT = DESOUT 










IV INPUT = DESOUT LATCH INPUT = IV*DES0UT 


26 


c6 


If 


0 


LDKEY CKKEY LDDES CKDES 


27 


2 


12 


1 


CKKEY SUB 01 


28 


0 


3a 


5 


WIV ADD INT ADD1 


29 


c6 


If 


0 


LDKEY CKKEY LDDES CKDES 


2a 


2 


12 


1 


CKKEY SUB 01 


2b 


0 


16 


2b 


:70 OSRET? 70 


2c 


0 


f4 


21 


WIV CLOSRE CKOSR GTO 50 


r 
r 

i a. 


CBC DECRYPT 


3 KEYS 


/* 

2d 


1 


lc 


0 


CL I S RF CLEAR 


2e 


59 


4a 


5 


•t /— r~, r\ *~\ *-> 1 r~> A n ^ MI'S R r"iT"\ TXTTH 71 T"\r\ 1 

:160 B2 S3 S4 Bo B13 ADD INT AUDI 










DES INPUT = ISR OSR INPUT — IV DESOUl 










IV INPUT = Qn LATCH INPUT — IbK 


2f 


6 


19 


0 


LDKEY CKKEY SROL SHFTL 


30 


2 


19 


1 


CKKEY SROL SHFTR 


31 


0 


15 


31 


:170 ISRFT? 170 


32 


e3 


12 


1 


CLISRF CKL LDDES CKDES CKKEY SUB 01 


33 


5b 


4f 


0 


B2 S3 S4 S5A B6 B13 










DES INPUT = IV'DESOUT OSR INPUT = IV~DESOUT 










IV INPUT = Qn LATCH INPUT = IV*DESOUT 


34 


eO 


3a 


3 


CKL LDDES CKDES WIV ADD INT ADDO 


35 


6 


19 


0 


LDKEY CKKEY SROL SHFTL 


36 


2 


19 


1 


CKKEY SROL SHFTR 


37 


2 


12 


1 


CKKEY SUB 01 


38 


eO 


3a 


1 


CKL LDDES CKDES WIV ADD INT 


39 


6 


19 


0 


LDKEY CKKEY SROL SHFTL 


3a 


2 


19 


1 


CKKEY SROL SHFTR 


3b 


2 


12 


1 


CKKEY SUB 01 


3c 


0 


16 


3c 


:180 OSRET? 180 


3d 


0 


f4 


2e 


WIV CLOSRE CKOSR GTO 160 



RAM PROGRAM CODE FOR TRIPLE ENCRYPTION 
TABLE 8 
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TWO CASCADE CIPHERS (SUGGESTED BY AD I SHAMIR) 
FIGURE 8 



CONCLUSIONS 

A user programmed Digital Encryption Processor based on the 
National Bureau of Standards DES algorithm has been described. The 
DEP has been certified by the NBS as complying with the DES. All four 
of the NBS defined operating modes may be programmed. Multiple 
(cascaded) or multiplexed ciphering operations may be programmed, 
eliminating the need for more than one encryption device in some 



143 



applications. The internal program sequencer allows the user to 
tailor the ciphering function for the specific system application. 
These features place the DEP beyond existing commercial devices. In 
order to extend the life of the DES, we would like to see more secure 
modes developed and analyzed. The DEP may be programmed to perform 
cascaded ciphering using all four key registers. The data throughput 
rate of 0.59 megabytes per second, for the standard modes under worst 
case conditions, is comparable with the fastest commercial part now 
available. For some of the unique modes, the data rate will be much 
faster since there is no host processor overhead. 

The proliferation of smart terminals and computers is leading to 
distributed networks with access to large data bases. These networks, 
along with the booming cable television market and satellite 
communications networks, are prime candidates for low cost secure 
encryption. 
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Abstract 

Importance of DES: NBS, ANSI and ISO (in study) have DES as standards. 

The available devices or programs have some tedious properties for an extensive use: 

• hardware is expensive or slow, and limited, 

• software is slow. 

We describe methods for obtaining efficient hardware and software implementations 
for the DES, i.e.: 
Hardware 

• Cheap and fast hardware, 

• all standard modes, 

• available for IC library; 
Software 

• Fast i.e. 150 kbit/s (VAX 11/780 without accelerator), 

• possibility of using small microprocessors (i.e. small programs with relative high 
speeds). 

These efficient designs are obtained using, e.g., tables which are distinct from the 
tables described by the NBS norm. This !eads to new problems for testing and for certi- 
fication. 

Tools 

Generai 

• DES paper presented at CRYPTO-83, 

• further simplications, 

• analysis of modes; 
Hardware 

• Taking the routing problems in consideration; 
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Software 

• Precomputations of some tables, 

• using effectively the size of words of the processor (8, 16, 32, 48) and the available 
operations. 

Common techniques 

GRYPTO-83 paper 

• Analytical properties: IP, E and PC\, 

• equivalent representations: iterative DES, modification of the table P. 
Feedback modes 

Idea 

• The idea is to put IP as close as possible at the input of the feedback and IP -1 
as close as possible to the output of the feedback. Thi3 simplifies the routing 
and the clock circuits in a hardware implementation. For the hardware and for 
the software, if possible, one can then perform IP, IP -1 and DES' in parallel, 
where DES' is a IP-free DES. Another reason is related to the security of the 
implementation (key confinement). 

Key generation 

• Precomputation versus parallel computation. 
P ■ E: Analytical expression. 

Remark. The key remains constant in the four DES modes. 
Software 

Good software designs for the DES are obtained using algorithm transformations; for 
instance, function composition, good match with primitives of the used processor, pre- 
computations. Some time-memory tradeoffs are necessary in order to avoid too expensive 
tables. The term "too expensive" is relative to a given processor: a small microprocessor 
has only 8 registers of one byte, 100 bytes of internal RAM and 1000 bytes of program 
while a big computer is composed of about 10 megabytes of data and program (not using 
the virtual memory which gives bad performances in very repetitive tasks). 

Use of the CRYPTO-83 paper: 

• Analytical properties: IP, E, PCi, 

• equivalent representations, 

• idea of P • E, 

• iterative DES, 

• modification of the table P. 

Special technique exists for E. Another technique is the precomputation of the key 
scheduling. This precomputation requires 96 bytes of RAM for storing the 16 interme- 
diate keys. For some microprocessors, this value is prohibitive: other techniques with 
precomputations exist with only 16 bytes of RAM but using more complicate procedures. 

The use of a two-stage iterative DES model simplifies the program, using the fact 
that DES is sequential in nature. 
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The precomputations of tables are useful for obtaining fast software. For instance, 
each 5-box realizes four functions of six variables, i.e. requires 256 bits of memory (total: 
256 bytes for 8 5-boxes). If we realizes these 5-boxes as four groups of two 5-boxes, we 
now need 32 kbytes, but the number of accesses to the 5-boxes has been halved. 

Other technique is to combine the 5-boxes with the permutation P. This technique 
demands 2096 bytes of memory. 

The 48 bit model (see CRYPTO-83 paper) is very useful on computers with words 
of 48 bits. 

A software implementation of the DES on a VAX 11/780 has been made. The 
exspected speed of about 150 kbits has been obtained. Other implementations are studied. 
A complete paper will appear in the near future. 

Hardware 

See the relevant paper in these proceedings. 
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Abstract. Several improvements to realize implementations for DES are discussed. One 
proves that the initial permutation and the inverse initial permutation can be located 
at the input, respectively the output of each mode in DES. A realistic design for an 
exhaustive key search machine is presented. 



1. Introduction 

In [14] the reader find that hardware which is at the same time cheap and fast does 
not exist [1]. In this paper we propose mainly one efficient chip design for the DES. 
Nevertheless, depending on the need of the user, different versions are possible. The 
proposed version is designed for general purpose. In section 10 however a version for 
exkaustic search of the keys is illustrated. Important is that all versions can use the same 
techniques. 

The reader not familiar with the DES finds the NBS description of the DES in the 
literature [9]. 

1.1. Problems and used techniques 

By designing the chip one has to solve several technical problems as: 

1. the complexity of the routing 

2. the minimization of the needed chip area 

3. the maximization of the desired speed 

4. the limitation of pin connections. 
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The main problem in a DES chip is the routing. This can be illustrated by looking 
at figure 1 which shows a straightforward realization of the DES-algorithm [4]. There we 
see that the width of the interconnections (e.g. 64, 48 ....) will result in an enormous lost 
of area and speed. 

We can distinct 5 important techniques (see liet) to solve previous problems. 

1. a serial/parallel realization with shiftregisters of the permutations and of memory 
and internal transport in order to reduce the number of interconnections on chip 
(sections 3 and 4) 

2. the use of equivalent representations of the DES 
in order to optimize speed 

(section 5) 

3. pipelining of the different datablocks 

in order to maximize the activity on the chip 
(section 6) 

4. rearrangement of the functional elements 

in order to shorten the lenght of interconnections 
(section 7) 

5. a modular controller with microprogramming 
in order to ensure the flexibility of the design 
(section 8) 

Remark that as consequence of the needed coherence in the hardware solution, a lot 
of simplifications proposed in previous papers (e.g. [3]) couldn't be used. 

In the next sections the routing problem for the transport part of the chip is solved 
by using a serial-parallel structure. At the same time, we reduce the area needed for 
IP, IP' 1 and PCi to about 1/20 of the area compared with a full parallel realization. 
Important is that all this solutions do not slow down the datarate. 

The routing problem for the part which carries out the 16 iterations (incl. the subkey 
generation), is solved by rearranging the different elements. So we shorten the length of 
the interconnections. This will be explained in extension in section 7 . 

1.2. survey of the chip 

We divide the chip in 2 important parts. The first called transport part, supports 
the datatransport with the environment and also the internal transport between different 
memories (incl. the permutations IP, JF _1 and PG{). The second called iteration hard- 
ware, calculates the 16 iterations of the DES-algorithm without IP and IP -1 (from now 
on tee call these 16 iterations DES*) incl. the generation of the subkeys. 

We will first explain the basic idea used to simplify the realization of the modes. Later 
on we will explain the other techniques used. 
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On the first sight, the DES algorithm suffers from an enormous routingproblem. Conse- 
quently the main goal of our design was to solve this problem by serialization and rear- 
rangement without slowing down datarate. 

Figure 1: the routing problem 
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2. Equivalent representation for the modes: An introduc- 
tion 

In the Fibs publication [8], four modes of operation for the DES are defined. These 
modes specify different ways to encrypt and decrypt data. We show that you can reorder 
these modes so that IP and IP -1 appear at an other location in the algorithm. We'll 
explain first the general idea and the motivation of this transformation. Next we'll apply 
this idea in the case of the 8 byte modes and the 1 byte modes. 

Mostly the execution of permutations in hard- or software slows down the perfor- 
mances. The idea is to put IP respectivily IP~ X as close as possible to the input respec- 
tivily the output of the mode. So you don't have to carry out IP and IP -1 on the data 
in the feedbackloop. To move the permutations, we'll use the following properties. A 
permutation followed by a selection, can always be transformed into a selection* followed 
by a permutation* (figure 2). A similar remark is true for an injection followed up by a 
permutation. The elementary transformations as explained at crypto 83 will also be used 
[31. 

2.1. 8 BYTES MODES 

In the case of the ECB mode it's trivial that IP is located at the input and IP -1 at 
the output. 

In the CFB mode we can write on location A (figure 3) IP ■ IP~ l and propagate them 
over the exors, using the elementary transformations of Crypto-83 [3] page 182, we obtain 
then the desired result. 

A similar result is similar to find for the CBC and OFB modes. 

2.2. 1 BYTE MODES 



In CFB mode, a new input for the DES is formed out of the previous input for the 
DES and the actual output ciphertext. The 56 most significant bits of the new input for 
the DES come from the old input shifted 8 times to the left. This can be represented (fig- 
ure 4) as a selection of 56 bits out of 64 bits (Si) together with an injection of 56 bits into 
64 bits (J x ). The 8 least significant bits of the new input for the DES are the 8 bits output 
ciphertext. This can be represented by an injection Jfe of those 8 bits into 64 bits. To 
form the output ciphertext the 8 most significant bits of the DES output are selected by 
selection 52, and exored with the plaintext. The content of these selections and injections 
is showed in table 1 and 2. The selections and injections are similar represented as the 
permutations of the DES in the NBS norm [9]. Now by applying some transformations 
one is able to obtain the desired result. 

Let us therefore put IP IP -1 at location B in figure 4. Using the property of figure 2 
we obtain figure 5, where the effect of Q a (S a [Mbits)) is the same as $2(ii* -1 (646t<«)). 
In figure 5 we put Q~ x ■ Q a at location C. By moving Q a , IP and IP~ X (using Crypto 
83) we obtain figure 6. Using the first property of figure 4, this figure is transformed into 
figure 7, where Q b (Si(Q4bita)) is the same as S 1 (IJ 3 (646tts)) and similar for I e [Q e ) and 
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Figure 3: CFB 8 byte mode 
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a selection 
an injection 

Figure 4: representation of the 1 byte CFB mode with selections and injections 



[ 9 10 11 12 13 14 15 16 S 2 = [ 1 2 3 4 5 6 7 

17 18 19 20 21 22 23 24 

25 26 27 28 29 30 31 32 

33 34 35 36 37 38 39 40 

41 42 43 44 45 46 47 48 

49 50 51 52 53 54 55 56 

57 58 59 60 61 62 63 64 1 



Table 1: the selections 5 X (64 ->56) and S 2 (64 -<-8) 
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Table 2: the injections I x (56 ->-64)and I 2 (8 -»64) 
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Figure 7: intermediate result of the CFB 1 byte mode derived from figure 6 




■output 



Figure 8: final result of the CFB 1 byte mode derived from figure 7 without permutations 
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Table 3: the selections S a (64 -t-8) and S t (64 -+56) 



Q a = [51627384] Q- 1 = [2468135 7] 
Table 4: the permutations Q a (8 -+8) and Q' 1 (8 ->8) 
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Q d = [24681357] 



Table 5: the permutations Q& (56 -"56), Q c (56 —56) and Qj (8 -»8) 
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I e =[ x 1 2 3 4 5 6 7 

x 8 9 10 11 12 13 14 

x 15 16 17 18 19 20 21 

x 22 23 24 25 26 27 28 

x 29 30 31 32 33 34 35 

x 36 37 38 39 40 41 42 

x 43 44 45 46 47 48 49 



I,f = [lxxxxxxx 



2xxxxxxx 
3xxxxxxx 
4xxxxxxx 
5xxxxxxx 
6xxxxxxx 
7xxxxxxx 



x 50 51 52 53 54 55 56 ] 



8xxxxxxx] 



Table 6: the injections IC (56 -+64) and ID (8 -*64) 



IdiQd)- By calculating all these tables we can proof that Q c (Qb) = I and Qi{Qa) = I, 
with I the identity permutation. 

In figure 8 we find the final result. We see that IP is no longer used in the feedback loop, 
and that two 8 —»8 permutations have appeared at the input and output of the data. The 
content of the new permutations, injections and selections is showed in table 3, 4, 5 and 6. 
Thy must be read as in the NBS representation [9]. 

A similar result for the OFB mode can be obtained using similar techniques as for 
the CFB mode. 

Remark that this equivalent representation of the modes can also speed up the soft- 
ware, as explained in [14]. 

3. a fast serial/parallel realization for the permutations 

The transport part of the chip will communicate with the environment using 8 bit 
buses. The main reason for this is the limitation on the amount of connection pins of the 
chip. However these buses allow us also to realize the permutations IP, IP" 1 and PC± 
in an elegant way. 

The idea is that by shifting data from a bus into a shiftregister, you carry out a 
permutation in a hidden way. If you put an 8— >8 permutation between the bus and the 
shiftregister (see figure 9), you can realize a whole set of permutations. We found that 
IP, IP -1 and PCi can be realized using this set of permutations. 

3.1. permuting with, shiftregisters: an introduction 

When you send a block of 64 bit over an 8 bit bus, you'll send it byte after byte. If we 
place at the end of the bus 8 shiftregisters of each 8 bit, we can enter sequentially these 8 
bytes (8x8) (see figure 10). Normally, we'll call the first shiftregister the first byte of our 
memory, the second shiftregister the second byte etc. (indicated with italic numbers e.g. 



What we see is that the numbers of the memory locations (1, 2, S, . . . , 64) and the 
numbers of the data bits (1, 2, 3, ... , 64) don't agree. Conclusion, we have carried 
out a permutation. This permutation is represented by the vector at the foot of figure 10 



IS). 
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(for the interpretation of the vector notation, we refer to the Fibs publication of the data 
encryption standard [9]). From now on we'll call this permutation SR. 

In the same way, we can show (see figure 11) that when we read out information of 8 
shiftregisters into a bus, we carry out another permutation. You can easily check that we 
get in that way the permutation SR~ l . 

Now that we know SR and SR -1 , we'll search for which 8— »-8 permutations we need 
to realize IP, IP' 1 and PCi. 

3.2. realization of IP and IP~ l 

If we want to have IP after we have shifted in, we have to do a 64-*64 permutation 
before SR, satisfying the following equation: 

IP = SR after IP* or IP* = SR' 1 after IP 

The result is shown in table 7. If we write e.g. bit 18 as the 2' bit of byte 3 (or 23) we see 
that IP* can be realized by carrying out on each byte the same 8— 1-8 permutation IP" 
(see table 8). 

So the realization of IP has become very simple as shown in figure 12. This realization 
is much smaller than a hardware connection path realizing the permutation. At the same 
time, the execution of IP doesn't consume extra time because it is carried out during the 
input from the environment. 

A similar method i3 used to realize IF -1 . 

IP' 1 = IP- 1 * after SR- 1 or IP' 1 * = IP~ l * after SR 

Note that it is possible to use the same shiftregisters to carry out IP and IP -1 . This can 
be done simultaneously by reading 1 byte out every time you read 1 byte in (see figure 12). 

3.3. realization of PCi 

For PC\ we have a more complicated solution because of the irregularity in PG\ [3]. 
This can be shown by rewriting the notation of PC\ (table 9). If we could turn the second 
part of the permutation PC\, we get the permutation SR (for 7 shiftregisters of 1 byte ). 
This is exactly the way we will realize the permutation. 

First we realize 512(7x8) with 7 shiftregisters during the input of the key in a similar 
way as for IP (see the ■ path in figure 13). Then we rearrange these seven registers 
in two registers of 28 bit. The first register of 28 bit goes from the first byte up to half the 
fourth byte. The second register goes in reversed order from the last byte up to half the 

fourth byte (see the path in figure 13). This reversed order of the second 28 bit 

register permits to turn the second part of the key at the moment that those 2 registers 
of 28 bit are loaded in a following memory unit of 2 times 28 bit (see figure 13). 

This realization consumes a little bit more time, but this isn't a drawback because 
you don't change the key very often. A variant is possible which change the 2 keys e.g. in 
1 clockperiod but this consumes a little bit more place. The fact of using 2 memory-units 
for 2 keys can be used for the multiple key mode. We'll take the first memory as the 
major-key register and the second register as the active-key register. Therefore we only 
have to add 2 feedbacklines which carry back the content of the active-key register to the 
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R* and R are permutatioru 

Figure 9: With this shiftregister structure it is possible to carry out a set of 64— *64 
permutations. 
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Table 7: IP* = SR- 1 after IP 
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Table 8: IP* = 8 times JP' 
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the input is: 
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the realized permutation 

SR = [ 57 49 41 33 25 17 9 I 

58 50 42 34 26 18 10 2 

59 51 43 35 27 19 11 3 

60 52 44 36 28 20 12 4 

61 53 45 37 29 21 13 5 

62 54 46 38 30 22 14 6 

63 55 47 39 31 23 15 7 

64 56 48 40 32 24 16 8 ] 

the italic number indicates a memory location and the boldface number a data bit 

Figure 10: If you shift 8 byte from a bus into 8 shiftregisters, you get the permutation 
SR (a permutation is represented in a similar way as in the NBS norm of DES) 
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the output is: 


bytel=8 
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byte2=7 
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byte7=2 


10 


18 


26 


34 


42 


50 


58 


byte8=l 


9 


17 


25 


33 


41 


49 


57 



the realized permutation 

SR- 1 - [ 8 16 24 32 40 48 56 64 

7 15 23 31 39 47 55 63 

6 14 22 30 38 46 54 62 

5 13 21 29 37 45 53 61 

4 12 20 28 36 44 52 60 

3 11 19 27 35 43 51 59 

2 10 18 26 34 42 50 58 

1 9 17 25 S3 41 49 57 ] 



Figure 11: by reading out of a shiftregister you realize the permutation SE~ X 
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Figure 12: realization of IP and IP -1 with the same shiftregister 



major-keyregister so that no key is lost by the transport from the major-key register to 
the active-key register (see figure 13) . This configuration can also expanded with a third 
keyregister which is very interesting for multiple encipherment of the active key [12] 



4. a fast serial/parallel realization for memory and trans- 
port 

We'll explain our internal interconnection system built out of shiftregisters and mul- 
tiplexers. This system is small, very fast and flexible enough for the DES-algorithm. 
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Table 9: the structure in PCi and the relation with SR. 
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mayor key register 



active key register 



= the path to read in a new key 
= the path to change the 2 key's. 

Figure 13: realization of PCi by 2 subsequent memory transports 
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HR1 and HR2 are additional registers. The workregister is the memory unit in the 
iteration hardware (see section 9). 

Figure 14: the fast internal transport organization. It's used to calculate the modes (the 
exors are omitted from the figure for simplicity) 

A common way to organize transport is with one da tab us and an addressbus. Then 
the memory usually consists out of RAM and ROM units. The advantage of this solution 
is the flexibility of addressing and the possibility of transport between many devices far 
from each other. 

We took another approach because we don't need those advantages. We chose to 
organize the memory in 4 shiftregister units of 8 byte (8x8) each. Instead of one bus, we 
made a connection path from every output to each of the four inputs (included his own 
input) (see figure 14). For our design this structure is faster, small and enough flexible. 

It's faster because of two reasons. First, it isn't necessary to specify a new address for 
every byte. Second, it can transport 4 bytes simultaneously. So the maximum capacity 
is 32 byte in 8 clockperiods. We'll use this structure to calculate the feedbackmodes. 
This is a time critical job because it isn't possible to pipeline it with something else (see 
section 6). 

It is difficult to explain why this structure is very small. On the first sight you 
may think to discover a new routing- problem. This isn't so because the length of the 
connections can be kept small by a good floorplan. In section 9.2 we describe a floorplan 
for a nMOS realization. Most interconnections between these registers aren't longer than 
150/im. It was even possible to place all the interconnections and multiplexers on 0, 5mm 2 
(8x8 version). 
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This structure has a smaller flexibility because we always have to transport all 8 
bytes in the same sequence from one unit to the other. Transporting less will break up 
every byte by partly shifting it out and partial shifting something else in. It is clear that 
this partial transport is a " wrong * way to transport entire bytes. But as we see in 
section 5.1, we can use this " wrong " way of transport to execute the 1 byte modes in 
a very simple way. Remark that to execute the modes we also need to incorporate some 
exors in the structure. This can be done in many ways depending on the used technology. 
One method well suited for nMOS is adding 8 fixed exors between the workregister and 
the input output register and also 8 fixed exors between the workregister and the HR1 (= 
additional register 1). The output of those exors are connected to each multiplexer again. 
It can be shown that this configuration is sufficient to calculate the modes. 

4.1. a possible modification for smaller, but slower devices 

Up to now, we've used units of 8 x 8 shiftregisters for the input output registers and 
the other registers of the fast internal transport. However it's also possible to construct 
an equivalent version with 4 shiftregisters of 16 bits long [5]. 

The difference between the two is that the interconnection hardware is only half of 
the size for the 4 x 16 version. On the other hand the 4 x 16 version is also 2 times slower 
for the transport of data. Therefore the 4 x 16 version is only usefull for a slow and 3mall 
version (< 5 Mbit and ±4mro 2 ). 

5. Equivalent representations 

5.1. modes 

As explained in section 3.2, we can easily realize IP when we transport data from an 
8 bit bus into a shiftregister. This consumes no extra time when it can be combined with 
the input and output from and to the environment. However, this method needs a lot of 
time when you have to use it for data already on chip. Therefor it's very usefull to move 
the permutations IP and IP~ l out of the feedback loop of the modes to the input and 
output of the chip. 

Figure 3 shows clearly that for the 8 byte modes the solution is found. However for 
the 1 byte modes, a little bit more explanation is needed to show why the result in figure 8 
is usefull. The permutations Q a and Q~ x of figure 8 are the permutations IP* and IP -1 * 
we used to read in and out (section 3). The realization of the selections and injections 
is very simple with our internal tansport structure (section 4). We saw there that you 
can only transport entire bytes if you transport all 8 bytes together by shifting 8 times 
the shiftregisters. However if you shift those registers only once, you will eject the last 
bit of every byte (=5 a ). The other seven bits of every byte (=Sj) will be shifted to the 
seven last places of every byte (=7 C ) and there will enter a new bit on the first place of 
every byte {—Id)- This new bit is the ejected bit exored with the correspondent bit of the 
incoming byte of data. 

5.2. the permutation P 

Because the permutation P will be realized hardware with wires, it's obvious that the 
needed area can be diminished by a well choosen modified P [3]. How you get the optimal 
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Figure 15: optimization of P for a hardwired realization 
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modified P is shown in figure 15. 

5.3. optimization of the 16 iterations 

Starting from the official representation of the DES algorithm, we see that each iter- 
ation starts with the evaluation of the non-linear function, and ends with reversing the 
2 datablocks. If you reorder [13] the algorithm as in figure 16, it becomes clear that the 
exchange can be done at the same moment as the evaluation of the non-linear function. 
In this way, the time to execute DES* (=DES without IP and IP' 1 ) is almost equal to 
the time needed for 16 evaluations without losing time by exchanging the 2 datablocs. 
As consequence, the evaluation of the non-linear function is the time critical path of the 
algorithm. The only small drawback is that at the end an extra exchange of the right and 
left block is required. 



6. Pipelining 

The aim of the pipelining is to prevent that datarate is slowed down by the time used 
for datatransport between chip and the environment. This is very important because this 
communication is slow. 

In our design we distinct 3 sections able to work simultaneously: an input section, 
a DES* section and an output section. While the input section is entering the next 
datablock, the DES* is working on the actual datablock and the outputsection is busy 
to releaze the previous datablock. When these 3 sections have finished, there is a large 
amount of data which has to be exchanged between the sections. The operation doing 
this job is called the transfert. The transfert is executed with the structure described in 
section 4 . This operation calculates also the modes. 

To illustrate the functioning of the device, especially to show how the modes are 
realized, we have in figure 17 a representation of the activity in function of time e.g. for 
the modes ECB and CBC. Note that HR1 and HR2 (additional memory 1 and 2) are 
memories needed in the feedbackloop of the modes. 
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Figure 16: optimization of the 16 iterations 

7. Rearrangement of the functional elements 

The aim of rearranging is not to avoid the interconnections but to shorten the length. 

A large part of the routing is shortened by mixing the memory cells in the iteration 
hardware. If you number the cells from 1 to 64 and put them in the following order: 
(1 33), (2 34), (3 35), (4 36), ... (29 61), (30 62), (31 63), (32 64), the connected cells 
come next to each other. So the connections become shorter than lOO^m. This structure 
can be build with 32 cells each containing a schiftregister of 2 bit and 1 exor. 

The second way to shorten lines relies on the fact that a memorycell is much larger 
than an interconnection. So we'll put the lines from the subkey, the lines from the memory 
and the lines from the S-boxes wired next to each other. In this way we have designed 
a floorplan for the iteration hardware that minimize the length between the memory and 
■the S-boxes that is part of the time critical path (cfr. section 5.3). 



8. Modular construction of the controller 

Microprogramming is known as a good but slow way of controlling. The speed problem 
can be solved by using a lot of small units. Every unit is able to carry out one class of 
tasks. Above this units for the tasks is one unit to coordinate the cooperation between 
the units. The communication between this coordination unit and the task units happens 
with microcode. There is no communication between the task units so that modularity 
and testability is assured. 
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KSSS^sl :shows that this part is active 

:shows the transfert of data between the different memories. 
Remark for CBC-decipher that the calculation of DES* introduces a supplementary delay 
of the data in the main path so that in the feedback path 2 delays are needed instead of 
1. 



Figure 17: the activity in function of time for the modes ECB and CBC-decipher 
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9. The entire design 

9.1. the architect-are 

In figure 18 the survey of the toted architecture is shown. Depending on the design 
strategy, used technology and the desired features some elements may hare to change. 
The solution of the figure is very well suited for an nMOS chip with a speed of about 
14mbit/sec. . 

As seen in section 4, there are 4 data memories of 64 bit (=8 x 1 byte). The memory 
called workregister is a special one because it can work in 2 different ways. It can be 
switched as 8 shiftregisters of 1 byte, or as 32 registers of 2 bit to perform the 16 iterations 
(see section 7). 

There are also 2 key memories of 56 bit(=7 x 1 byte). The parity check is carried 
out on each key byte that is entered for the first time. With this configuration you can 
memorize 2 keys e.g. a major and an active key. When you enter a new key, you'll 
overwrite the key which was in the input key register. 

In the chip we have the following three transports: 

1. the internal transport, mainly used for realizing the modes 

2. an input bus 

3. an outputbus 

The first serves to transport data in a fast way between the 4 data memories (see section 4). 
The second and the third serve for datatransport between the environment, one fixed 
register of 64 bit (called the input output register) and the active key register (see figure 12 
and 13). 

Maybe it is now a good moment to take attention on the conformity of the used 
techniques. E.g. reading in the data needs shiftregisters to realize at the same time IP; 
with those shiftregisters a very fast transport is possible; we need that fast transport to 
allow the pipelining and the execution of the modes; to allow this way of transport, the 
workregister has to be a shiftregister; on the other hand, the iterations can be carried 
out very fast using cells of a shiftregister,. . . etc.. It is with this conformity that we could 
design a chip which at the same time is very fast and very small. 

9.2. the floorplan 

In figure 19 you find a floorplan of an nMOS design. The total area used is about 9 
mm 2 and the transistor density is more than a thousand transistors on 1 mm 2 . In the 
floorplan you can destinct 4 important parts. 

1. The datapad doing the 16 iterations (+ the subkey generation) 

2. The memories and multiplexers of the fast internal transport 

3. The input-output bus 

4. The controllers 



169 




You see that the amount of interconnections is diminished compared with figure 1 
Figure 18: survey of the new architecture 
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10. a modified design for exhaustic search of the keys 

The idea to cryptanalyze the DES by an exhaustive search was proposed by Diffie 
and Hellman [15]. An improvement is now presented, which mainly solves the problem of 
the complexity of the machine and its cooling. 

A chip builded for exhaustic search of the keys must have 2 properties. First it has 
to be very fast and second it must work with a minimum of communication with the 
environment. 

To make it fast we'll use the property that an exhaustic search of the key can be 
realized using only the ECB mode. Therefore we will divide the path calculating the 
non-linear function in e.g. 3 section and pipeline those sections. There is however the 
problem that we need the result of this non-linear function to calculate the new input 
for the non-linear function. This will be solved by calculating simultaneous DES for 3 
different keys. To do that we need three workregisters and three keyregisters. In that way 
the speed can be improved by a factor 3. 

To minimize the communication with the environment, we'll generate the subsequent 
keys on chip and we'll do the check of the result also on chip. To generate the subsequent 
keys, we enter once a start value for the key in a counter on chip and then augment this 
value each time by 1. By giving each chip a good startvalue, the whole key space will be 
checked. To check the result, we enter only once the 2 datablocks for which we search the 
key. The first block will serve as input for the DES algorithm and the result of the DES 
algorithm will be compared with the second datablock on chip. If the result is equal to 
the second block, an interrupt signal is given. In this way, only a ^computer and a big 
power supply is needed to command e.g. 10,000 chips. 

Important is at which speed this device can work! To calculate three outputs you 
need: 

48 (=16 iterations) +2 (=delay in the pipeline) +3 (=time for in and output) = 53 
clockcycli. 

At a clockfrequency of 20 Mhz you can check ±1.13 ■ 10* keys in one second. Suppose 
that one device (incl. connection) costs 40$ and that you spend 1,000,000 $, you can with 
2.5 • 10 4 devices calculate 2.8 • 10 10 keys in one second, or 1 • 10 1 * keys in one hour. So you 
calculate 1.7 • 10 le keys in only 1 week. In total there are 7.2 • 10 16 keys. On the avarage 
you will find the key after you've tried 3.6 • 10 16 keys and for this you need about two 
weeks. If a choosen plaintext attack is possible, the time needed to find the key is devided 
by 2 [11]. It may also be necessary to make allowance for more than one key satisfying: 
cypherblock(64bit) = DES(plaintext,key) [7], 

The proposed hardware can be designed for CMOS such that no power problems 
would exist. 

11. Obtained results 

Without exaggerating, we may expect that a speed up to 20 Mbit/sec. is possible to 
obtain. Maybe higher speeds should be possible, but this should certainly cost a large 
amount of power and area. 

It's easy to calculate the speed by hand. Because of the pipelining, the chip is some- 
times doing many tasks simultaneously (see figure 17). The chip is so designed that the 
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clock 


datarate 


area 


3Mhz 


3,4Mbit 


2x2 mm 2 


5Mhz 


5,5Mbit 




lOMhz 


11 Mbit 


3x3 mm 2 


14Mhz 


15,5Mbit 




18Mhz 


20 Mbit 


4x4 mm 2 



Table 10: datarate in function of the clockfrequency (with the expected area in 3/tm 
technology) 

evaluation of the 16 iterations takes normally most of the time. So the time needed for 
encrypting or decrypting each datablock is the time for 16 iterations augmented with the 
time for the transfert. In our design, 1 iteration needs 3 clockcycli. Finally, we also need 
2 clockcycli to allow the controller to jump from one to an other task unit (section 8). 
Together we get: 

Transfert: 8 clockperiods 
DES* :48 clockperiods 

jumps : 2 clockperiods 

Total :58 clockperiods 

This means 64/58 bits in one clockperiod. To know the total speed you have to estimate 
the clockfrequency. In our design there are 2 to 3 gatelevels for every 1/2 clockperiod (2 
phase clock)[10]. So a high clockspeed can surely be obtained. In table 10 we give some 
frequencies and the corresponding speed. We also indicate the possibility to exchange 
speed versus area (and power). One can agree that the design is very compact compared 
with his performances. Smaller technology should futher minimize the area. 

12. Conclusions 

In this paper we presented several improvement in order to realize faster and smaller 
chips. 

We also proved that the initial permutation and the inverse initial permutation can 
always be located at the input, respectively the output of each mode. 

To use DES in a strong way one has to change frequently the active key (e.g. every 10 
seconds) and this active key must be multiple enciphered with different major keys before 
transmision. 
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ABSTRACT 

A cipher system used for secure communication over a noisy channel 
can automatically synchronize the sender and receiver by computing a 
stateless function of a key and a limited amount of the recent cipher- 
text. The more ciphertext feedback is used, the more the errors from 
the noisy channel are propagated. The less feedback is used, the 
easier ciphertext-only and chosen-plaintext attacks become. There is 
a trade-off between security and noise that must be made when a self- 
synchronizing system is built. 

This paper presents a self-synchronizing cascaded cipher system 
that permits most combinations of key and ciphertext feedback lengths 
and also allows adjustment of the trade-off between security and noise 
during system operation. At times when maximum security is not needed, 
the error propagation can be reduced temporarily. 

As implemented in hardware, the cascaded cipher has a storage 
register for each stage. The function computed would normally depend 
on the state o£ this storage, but different clocks are used at each 
stage to render the function stateless. The use of a cascade helps to 
keep the hardware cost down. 



CIPHER FEEDBACK SYSTEMS 

Cipher feedback systems are useful in circumstances where synchro- 
ization between the encipherer and decipherer cannot be guaranteed in 
any practical way. Figure 1 shows a generic cipher feedback system. 
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The encipherer consists of a k-bit key register, an f-bit feed- 
back shift register and a combinatorial circuit with inputs from the 
two registers and with one output. The sequence of output bits will be 
called the encrypting sequence. It is a pseudo-random sequence if the 
combinatorial circuit is correctly chosen. Some constraints may need 
to be placed on the choice of keys in order to achieve pseudo-random- 
ness. The encrypting sequence is combined with the plaintext sequence 
by modulo-2 addition to produce the ciphertext sequence. As each bit 
of the ciphertext sequence is produced, it is shifted into the feedback 
register. This means that each ciphertext bit may depend on the k bits 
of the key, the previous f bits of the ciphertext and the current plain- 
text bit. 

The decipherer like the encipherer has a k-bit key register, an 
f-bit feedback register and a combinatorial circuit identical to the 
one in the encipherer. The decrypting sequence from that circuit is 
combined with the ciphertext sequence to produce a plaintext sequence. 
After each bit of the ciphertext sequence is first used, it is shifted 
into the feedback register so that it is also used to produce the next 
f bits of the decrypting sequence. 

SELF-SYNCHRONIZATION 

A bit of the decrypting sequence will be the same as the corres- 
ponding bit of the encrypting sequence provided only that the encipher- 
er and decipherer are using the same key and that the previous f bits 
of ciphertext received by the decipherer are unchanged since the 
encipherer produced them. We will assume in general that some technique 
ensures that the encipherer and decipherer do use the same key. The 
second proviso will not always be met if the channel that carries the 
ciphertext is noisy for any reason. 

Any difference between ciphertext bits produced by the encipherer 
and the corresponding bits received by the decipherer will be called 
errors in the ciphertext. Similarly, differences between corresponding 
bits in the two plaintext sequences or in the encrypting and decrypting 
sequences will be called errors in the plaintext or in the decrypting 
sequence . 

A bit of the decipherer's plaintext sequence must be the same as 
the corresponding bit of the encipherer's plaintext sequence provided 
only that the corresponding encrypting and decrypting sequence bits are 
the same and the current ciphertext bit received is the same as the 
current ciphertext bit produced. This means that following a transmis- 
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sion error which changes some bits in the ciphertext, there can be 
errors in the plaintext for at most f bits after the last erroneous 
ciphertext bit was received. Because the decipherer recovers automati- 
cally within a short and fixed number of bits to errors in the cipher- 
text, cipher feedback systems are said to be self -synchronizing. 

Self-synchronization makes it unnecessary for the encipherer and 
decipherer to agree on a value or time to initialize their feedback 
registers. The first f bits of the plaintext sequence are not part of 
the message because the decipherer cannot be expected to recover them. 
But barring errors in the ciphertext, the decipherer can recover all 
the rest of the plaintext sequence no matter what its feedback register 
held when the first ciphertext bit was received. 

Self-synchronization also makes it feasible for the decipherer to 
interpret the ciphertext stream as a sequence of bits by periodic 
sampling even though its clock is not exactly as fast as the encipher- 
er's clock. A slight difference in clock speeds would produce occas- 
ional bursts of plaintext errors up to f + 1 bits long but would not 
produce complete gibberish. 

There are variants on the system in Figure 1 which retain the 
self-synchronizing property. The encipherer could use a different 
invertible computation to produce the ciphertext sequence from the 
encrypting sequence and the plaintext sequence instead of the self- 
inverting modulo-2 addition. The decipherer would use the inverse. 
Another variation has the plaintext and ciphertext processed block by 
block instead of bit by bit with each ciphertext block (or part of it) 
being shifted into the feedback registers. We will not explicitly 
consider such variants, but the discussions below would be analogous or 
even identical for the variant cipher feedback systems. 

The essential features are that (1) the encipherer's and decipher- 
er's feedback registers contain a limited number of bits of the recent 
ciphertext sequence (or equivalent information) , (2) the encrypting 
and decrypting sequences are produced by the same stateless function 
of the key and at least some of the contents of the feedback register, 
and (3) the encrypting sequence is combined with the plaintext in such 
a way that the plaintext can be recovered from the resulting ciphertext 
whenever corresponding portions of the encrypting and decrypting sequen- 
ces match. 

THE SECURITY PROBLEM 

The advantages of self-synchronization come with two major disad- 
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vantages. One is that errors in the ciphertext are propagated. The 
other is that the length of the feedback register may allow the cipher 
system to be broken by an exhaustive search less expensive than an 
exhaustive search of the key space. 

As long as the key remains the same, the bit of the encrypting 
sequence produced after a particular f-gram in the ciphertext will 
always be the same. A codebook can be assembled whose index is the 
values of the previous f bits of the ciphertext and whose entries are 
the bits of the encrypting sequence that must follow. It can be used 
in place of the key and combinatorial circuit in the encipherer or 
decipherer. The codebook has 2^ bits. If 2f is less than the key 
length k, it is easier to search exhaustively for the right codebook 
than to search for the right key. 

When the codebook has fewer bits than the key, many keys must be 
equivalent to each other. Each equivalence set of keys is associated 
with a unique codebook. The mean size of the equivalence sets will be 
at least 2 raised to (k-2^). Analysis of the plaintext and ciphertext can 
identify the key's equivalence set by finding that the set's codebook 
(or some member of the set) deciphers the ciphertext. But unless the 
equivalence set turns out to be a singleton set, the key cannot be pos- 
itively identified from the plaintext and ciphertext. Identifying all 
the members of the key's equivalence set is more difficult than finding 
the set's codebook. This fact is useful as we will discuss later if 
the secrecy of the key can sometimes be more important than the secrecy 
of the plaintext. 

THE NOISE PROBLEM 

A feedback register which is too short relative to the key regis- 
ter can make the cipher feedback system easier to break than it would 
otherwise be. That makes very short feedback registers undesirable. 
The error propagation from cipher feedback registers , on the other hand, 
makes very short feedback registers attractive. 

In most other cipher systems, ciphertext errors either are not 
propagated at all or are potentially propagated indefinitely. If only 
error-free plaintext were acceptable, indefinite propagation would be 
preferable as it makes error detection easier. Instead, we will assume 
that some errors in the plaintext are tolerable but that it is valuable 
to minimize them. Clearly, the best error propagation is none at all. 
The error rate in the plaintext would then be no worse than the rate in 
the ciphertext. 
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With cipher feedback systems, an error in one bit of the cipher- 
text is normally propagated within the next f bits of the plaintext. 
This is because the decipherer's feedback register holds the erroneous 
bit while the next f bits of the decrypting sequence are produced. Any 
of those f bits in the decrypting sequence could be in error as a 
result. Unless it is cancelled by another error in the ciphertext, an 
error in the decrypting sequence means an error in the plaintext. 

One plaintext error is unavoidable for each ciphertext error, but 
with error propagation there will be extra plaintext errors. The ratio 
of the expected number of extra plaintext errors to the expected number of 
ciphertext errors will be called the increased noise N. The increased 
noise may depend on the key value, the f ciphertext bits that precede 
an erroneous ciphertext bit, the f ciphertext bits that follow it and 
the combinatorial circuit that computes the decrypting sequence. To 
examine the relationship between N and f, we will assume that in order 
to achieve pseudo-randomness in the encrypting sequence, a combinator- 
ial circuit was chosen for which changing a non-empty subset of the 
bits in the feedback register has a fifty percent probability of chang- 
ing the circuit's output. This probability is based on a uniform dis- 
tribution of original values for the feedback register. A uniform 
distribution is expected when the encrypting sequence is pseudo-random. 
The probability is assumed to hold for all keys or at least for all 
keys that are ever used. 

If there were no error propagation, N would be zero. If all 
ciphertext errors were single bit errors and were separated by at least 
f correct bits, N would be f/2. If the ciphertext errors were not 
always so well separated, they could be thought of as bursts. We will 
consider two errors separated by fewer than f correct bits to be in the 
same error burst. Bursts are thus separated by at least f correct bits 
but contain no stretches of correct bits that long. 

If all ciphertext errors were in bursts of at least two bits, N 
would be (f + 1) /2pb + (1 - 2p) /2p where b is the mean length of 
the bursts and p is the probability that a bit within a burst is in 
error. The first and last bits of a burst must be in error to define 
the burst's position and length, and we assume that the intervening 
bits each have the same independent probability of being in error. 
That probability is (bp - 2)/(b -2) and can be expected to fall between 
zero and one half. 

If single bit errors are mixed with the burst errors, N rises 
toward f/2. 

The increased noise is roughly proportional to the length of the 
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feedback register if the assumptions about the combinatorial circuit 
are met or nearly met. If as is likely to be the case, keeping the 
ciphertext error rate low is expensive and low plaintext error rates 
are valuable, only very short feedback registers may be practical. 

USING LESS FEEDBACK 

Deciding on a length for the feedback register is a problematic issue 
in selecting a cipher feedback system for an application. If the 
length is too short relative to the key length, the security of the 
system may be lost. If it is too long relative to the expected error 
bursts in the channel carrying the ciphertext, the plaintext may be too 
noisy to be useful or the cost of improving the ciphertext channel may 
be exorbitant. 

One way to deal with the dilemma is to postpone it. It is better to 
choose a length for the feedback register for each message to suit the 
message's sensitivity and the condition of the ciphertext channel when 
the message is sent than it is to choose the length based on the worst 
case messages. 

Some messages require the full measure of security that the key 
length provides. They should be sent when the channel noise is rela- 
tively quiet so that one can use a feedback register long enough not to 
impair security and still not cause an intolerable error rate in the 
plaintext produced by the decipherer. 

Other messages may require some cryptographic protection but not 
as much. Not all secret messages need absolute protection. A message 
whose secrecy can be priced is protected for all practical purposes if 
the cost of thwarting the protection exceeds the value of the message's 
secrecy. Such messages can be sent even when the channel noise would 
be too bad for the long register by using only some of the register's 
length. 

If only part of the feedback register is used as input to the 
stateless function that computes the encrypting and decrypting sequen- 
ces of a feedback cipher system, the size of the codebook depends on 
the length used. For example, if the feedback register has ten bits of 
which only five are used to compute the encrypting and decrypting 
sequences, the codebook has thirty-two bits not a kilobit. The cost of 
breaking the system would be the cost of trying 2^ 2 codebooks assuming 
the key has at least thirty-two bits and the system has no other weak- 
nesses. For some messages in some applications, this may be adequate 
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protection. 

The effect on the noise of only using part of the feedback regis- 
ter depends on which part is used and on the nature of the errors in 
the ciphertext. If nearly all errors in the ciphertext are single bit 
errors, the increased noise in the plaintext depends on the length of 
the part used. For the example above in which only five bits of the 
feedback register are used, the increased noise would be the same as 
for a five-bit register all of which was used. 

On the other hand, with bursty ciphertext errors, the increased 
noise depends primarily on the position of the bit used which is fur- 
thest from the input to the feedback register. For the example above 
in which five out of ten bits are used, the feedback register's bits 
are numbered from one to ten starting with the bit nearest the input. 
If the five bits used are the even-numbered bits, the increased noise 
would be as bad as if all ten bits were used. The noise would be just 
as bad if bits six through ten were used. But if bits one through five 
are the ones used, the increased noise is the same as if the feedback 
register only had five bits. In general, the greatest benefit in noise 
control comes from prefering to use the bits closest to the input. 

A SOLUTION 

Figure 2 shows the encipherer of a cipher feedback system allowing a 
dynamic choice of the effective feedback length. It has an f-bit 
cipher feedback register, an n-bit noise control register, a d-bit key 
register, an s-bit selection register, and n s-bit circulating selec- 
tor registers. All the registers are shift registers except possibly 
the noise control register and the d-bit key register. 

The encipherer has a 2 n -to-l multiplexer with data inputs from the 
feedback register and address inputs from n modulo-2 multipliers. The 
multipliers each take an input from the noise control register and an 
input from one of the selector registers. The output from the multi- 
plexer is input to the selection register. 

The encipherer also has a stateless function with inputs from the 
selection register and the d-bit key register. The function's output 
is the encrypting sequence. 

The contents of the n selector registers, the d-bit key register 
and the noise control register constitute the key. That makes the key 
length k be ns + d + n. Later discussion will show that k may actually 
be only ns + d since the noise control register is not like the other 
key registers. 
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The multiplexer's n address inputs and f data inputs make n be the 
base two logarithm of f, or the round-up of that log if f is not a 
power of two. For now we will assume that the length of the feedback 
register is a power of two. 

The constant s should be at least the base two log of d. It is 
mostly constrained by the options for clock speeds. 

There are two clocks called the feedback clock and the selection 
clock. The feedback clock shifts the feedback register. It pulses 
once for each ciphertext bit, or from the other points of view, once 
for each plaintext bit or once for each bit of the encrypting sequence. 

The selection clock pulses s times faster than the feedback clock. 
It shifts the selector registers and the selection register. Thus for 
each bit of the encrypting sequence, the selector registers circulate 
exactly once and the selection register is filled with entirely new 
multiplexer outputs. This means that the encrypting sequence is a 
stateless function of the key and the feedback despite the existence of a 
selection register and the shifting of the selector registers. The 
noise control register and the d-bit key register remain fixed. 

Each multiplexer output is called a feedback selection because it 
is a bit from the feedback. The products which are the outputs from 
the n multipliers determine which feedback bit is selected for each 
selection. The rightmost bit of the feedback register is selected when' 
all the products are zeros. And when they are all ones, it is the 
leftmost bit. The other combinations of products select the other bits 
of the register according to the binary number formed by the products. 

A zero in a bit of the noise control register leaves only half of 
the feedback bits able to be selected because the output from the mul- 
tiplier receiving that zero will itself be zero regardless of the input 
from the selector register. In fact, a zero in the noise control regis- 
ter causes one of the selector registers to have no influence on any 
selections. Two zeros allow only one quarter of the feedback bits to 
be selected. Each additional zero eliminates half of the remaining 
choices. Having all zeros in the noise control register allows only 
the rightmost bit of the feedback register to be selected. 

Because of the addressing order of the feedback bits, the bits 
that can be selected are the rightmost bits when the zeros in the 
noise control register are the bottommost bits. For example, if the 
noise control register has only two ones and they are the two topmost 
bits of the register, the s selections that go into the selection reg- 
ister will each be one of the four rightmost bits of the feedback reg- 
ister. Which of the four is selected in each case is determined by the 
corresponding bits in the two leftmost selector registers. 
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As we noted earlier, prefering the rightmost feedback bits, the 
ones nearest the input to the register, causes the least additional 
noise when ciphertext errors are bursty. (When errors are not bursty, 
preferences do not matter.) In the example, the noise would drop to 
the level expected of a feedback register with only four bits. 

The decipherer for the cipher feedback system produces its decrypt- 
ing sequence exactly as the encipherer produces the encrypting sequence. 
To recover the plaintext, the decipherer must be using the same key as 
the encipherer. The contents of the noise control registers must be 
the same, the contents of the d-bit key registers must be the same, and 
the contents of the corresponding selector registers must be the same 
when they are at the same point in their circulations. For each selec- 
tor register, it is sufficient to know that the encipherer's register 
when its feedback clock pulses matches the decipherer's register when 
the decipherer's feedback clock pulses. It does not matter whether the 
two feedback clocks pulse at the same time. 

OTHER FEEDBACK REGISTER LENGTHS 

We had assumed that the length of the feedback register f was a 
power of two. The selection process is more complicated otherwise be- 
cause some feedback bits can be selected by more than one address input 
to the multiplexer. This makes for irregularities in the effects of 
zeroes in the noise control register. As an example, we will consider 
a cipher feedback system in which f is 11. That makes n be 4 . We will 
number the feedback bits from right to left as 1 through 11. The 
address input to the multiplexer will be referred to as the decimal 
equivalent of the binary number formed by the products with the topmost 
product being the most significant binary digit. The noise control 
value is similarly derived from the noise control register's contents 
with the topmost bit being most significant. The multiplexer selects 
bits from the feedback register according to the following table: 

Address 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

Selection 1233455467 7 8 9 9 10 11 

The next table shows the number of feedback bits that can be sel- 
ected for each noise control value. For example, a noise control value 
of eleven (1011) limits addresses to 0, 1, 2, 3, 8, 9, 10 and 11. This 
in turn allows selections to be made only from six feedback bits, bits 1, 
2, 3, 6, 7, and 8. 



185 



Value 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

Selectable 1223244524 4 6 4 7 8 11 

Provided that errors are not bursty, an appropriate choice of the 
noise control register's contents allows this feedback cipher system 
to be used with the same noise level as expected from other feedback 
cipher systems whose feedback registers had any number of bits up to 
eight. It could also be used with the noise level expected of its 
actual length of eleven. 

Assuming that the key length is between 64 and 128, the noise 
control values of thirteen or more would not reduce the security of 
the system and the other noise control values would provide six dif- 
ferent levels of security. Some of those six levels are probably too 
low for any messages in the application, but some choice still remains 
if not all messages require the security of having to try more than 
264 codebooks or keys. 

When errors are bursty, the noise level depends primarily on the 
distance from the input to the feedback register of the furthest bit 
that can be selected. The following table shows what that distance 
is for each noise control value. For example, the furthest bit that 
can be selected when the value is eleven is bit 8. 

Value 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

Distance 1233455567 7 8 9 9 10 11 

Because distances from one through eleven all appear in the table, 
the system can have the noise level expected of a cipher feedback 
system whose feedback register's length was any number up to eleven. 
Assuming again that the key length k is between 64 and 128, the 
choices that might be attractive are error control values of 0, 1, 3, 
7, 11 and 13 which require trying 4, 16, 256, 2^2 , 2^4, and 2 k 
codebooks or keys, respectively, and give effective feedback lengths of 
1, 2, 3, 5, 8 and 9, respectively. 

DYNAMIC NOISE CONTROL 

The contents of the noise control register have been considered 
as part of the key. This is appropriate from some points of view but 
not from other points of view. If an attacker can measure the error 
rate, it is best not to consider the noise control value as part of 
the key. The error rates reveal too much about the noise control val- 
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ue to call it secret. On the other hand, the encipherer and decipherer 
must agree on the contents of their noise control registers just as 
with other registers that hold key material. If one changed the noise 
control value but not the rest of the key, the other would have to do 
the same . 

There is another reason for the noise control value not to be 
secret like the key. It may be desirable to change the value much more 
often or more impulsively than the key is changed. If so, it would be 
convenient to communicate the new noise control values by an insecure 
channel. 

Changing just the noise control register is not always safe. As 
an example of the danger, consider a cipher feedback system in which f 
is 8, n is 3, d is 30, and s is 10. k is 60, not including the noise 
control value in the key. Some messages are worth less than the cost 
of trying 64K codebooks , but others are worth more than the cost of 
trying 2^0 keys. If the cheaper messages were sent when there was 
one zero in the noise control register, a set of all possible values 
for the d-bit key register and two of the three selector registers 
could be found by trying 2 keys with the same value in the third 
selector register. The set is expected to have 2-^4 members. This 
exposes the cheaper messages but at too high a price if they were the 
only target. Then when the zero is changed to a one and the key is not 
changed, the full value of the key can be found by trying 2^ keys. A 
change of key would have been adequate to protect the more valuable 
messages, but changing just the noise control value was not enough. 

Simple modifications to the registers holding key material can 
make it safe to change the noise control value without changing the 
key. One option is to eliminate the d-bit key register and use various 
positions from the n circulating selector registers instead for the 
inputs to the stateless function in Figure 2. The key length k would 
then be ns. Another option is to have only one circulating selector 
register and use n different positions for the inputs to the multipli- 
ers. This makes k be s + d . Combining those options reduces k to s . 

Any of these options requires s or d to be larger to keep the 
same key length k. Hardware constraints are likely to put an upper 
limit on s and might sometimes limit k too much for some of these 
choices to be viable. 

With any of the options, using a key with a short effective feed- 
back length does not compromise the prior or subsequent use of the same 
key with a longer effective feedback length. Returning to the same ex- 
ample, while the cheaper messages were being sent with an effective 
feedback length of four bits, the codebook could be found by trying 64K 
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codebooks. This costs more than the cheaper messages are worth and is 
no help in exposing more valuable messages. Trying all 2^0 keys is 
expected to give a set of 2 44 possible keys, but trying fewer keys 
would give only an incomplete set of possible keys. After changing to 
an effective feedback length of eight for the more valuable messages, 
it would be worth searching the set of keys to expose those messages 
but the cost of producing the set exceeds the value of the more valu- 
able messages. 

Besides having two or more classes of messages with different val- 
ues, having a choice of security levels and effective feedback lengths 
can be worthwhile if individual messages are not very valuable but the 
value of large aggregations of messages substantially exceeds the sum 
of their individual values. In an application with such messages, the 
noise control value can be adjusted to provide the maximum security at 
any particular time that does not produce intolerable noise in the 
plaintext. When the ciphertext channel is especially noisy, the 
security is too low for large aggregates but high enough for individual 
messages. Most of the time the ciphertext channel is not that noisy 
and the security level is high enough to protect the large aggregates 
of messages. Enough of the messages get the better protection that the 
valuable aggregates cannot be compiled at an affordable cost. The bene- 
fit is that messages do not need to be postponed when the ciphertext 
channel is especially noisy and that the ciphertext channel does not 
need to be as quiet all the time as the higher level of security and 
tolerance for plaintext noise would otherwise require. 

CASCADED SYSTEMS 

The encipherer in Figure 2 has an s-bit selection register and a 
stateless function with inputs from each of those s bits. The state- 
less function must be non-linear with respect to the selections if the 
whole system is to be non-linear. Also, s should be about as large as 
f or larger than f. A substantial portion of the cost of the system is 
the cost of the selection register and the stateless function. 

Figure 3 shows an alternative to the selection register and state- 
less function of Figure 2. The original stateless function is replaced 
by a cascade of stateless functions. The total cost of the functions 
in each stage of the cascade is likely to be much less than the cost of 
the one large function. The key inputs to each stateless function come 
from the key registers. 

Another savings comes from the replacement of the selection regis- 
ter with a much shorter cascade register for each stage in the cascade. 
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We will call the length of the cascade register for the i'th stage c^. 
The product of the lengths of the cascade registers is s, the length of 
the circulating selector registers. 

The selections output from the multiplexer are input to the first 
cascade register. The outputs from each stateless function are input 
to the cascade register of the next stage in the cascade. The last 
stage is an exception. Its output is the encrypting (or decrypting) 
sequence . 

Each stage in the cascade uses a different clock for shifting 
its cascade register. The first stage uses the selection clock, the 
clock which shifts the circulating selector registers. The clock for 
Stage i + 1 pulses once after c. pulses of the clock for the previous 
stage, stage i. This means that each output bit from a stage that is 
shifted into the next stage's cascade register is a function of a 
completely different selection of bits in its own cascade register. 

Consider an example in which s is 36 and there are three stages, 
c^ is 4, c^ is 3 and c^ is also 3. The selection clock pulses 36 times 
faster than the feedback clock that shifts the feedback register. The 
clock for the second stage pulses 4 times slower than the selection 
clock which makes it 9 times faster than the feedback clock. And the 
clock for the third stage pulses 3 times slower than the clock for the 
second stage which makes it 3 times faster than the feedback clock. 
Each of the slower clocks can be cheaply derived from the next faster 
one . 

Continuing with the example, each of the 36 selections from the 
feedback register for a bit of the encrypting sequence is shifted into 
the first stage's cascade register. After every fourth selection, an 
output from the first stage is shifted into the second stage's cascade 
register. We can partition the 36 selections for an encrypting bit 
into nine sets of four selections each with each input to the second 
stage depending on one of the nine sets. After every three of those 
sets, an output from the second stage is shifted into the third stage's 
cascade register. Another partition of the 36 selections into three 
sets of twelve each gives the selections on which each input to the 
third stage depends. When the feedback clock pulses, the output from 
the third stage which is a bit of the encrypting sequence, depends on 
three bits in the third stage's cascade register which depend in turn 
on all 36 selections. 

The cascade of stateless functions remains a stateless function 
itself despite the cascade registers. This is because each cascade 
register is filled completely at least once between feedback clock 
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pulses and the inputs that are shifted into a cascade register while 
producing a bit of the encrypting or decrypting sequence depend only on 
feedback register bits selected since the last pulse of the feedback 
clock. 

Returning to the example with three stages, it is easy to see what 
the equivalent stateless function would be in Figure 2 . The selection 
register would have 36 bits. There would be nine copies of the first 
stage's function, each one taking its inputs from four bits of the sel- 
ection register. There would be three copies of the second stage's 
function, each one taking its inputs from three of the nine first stage 
functions. Finally, there would be one third stage function whose in- 
puts come from the second stage functions. Its output is the encrypt- 
ing sequence. 

CONCLUSION 

The cipher feedback systems presented provide a way for some appli- 
cations that need self-synchronization to suffer less from the trade- 
off between the security and error propagation problems common to all 
cipher feedback systems. Applications in which ciphertext noise varies 
or lower plaintext noise than the maximum tolerable has value can bene- 
fit if they have messages that vary in the degree of cryptographic 
security needed or if the value of an aggregation of messages exceeds 
the value of the individual messages. 

The effective length of the cipher feedback register can be changed 
from one message to the next simply by agreeing on a new noise control 
value which need not be secret. Shorter effective lengths can be used 
for less valuable messages so that they will be corrupted with less 
noise . 

The use of two different clocks allows the system to have a state- 
less function as necessary for self-synchronization. With even more 
clocks, a cascade can be used that helps to keep down the cost of the 
system. 
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Abstract: Cryptographically secure pseudo-random number generators known so far 
suffer from the handicap of being inefficient; the most efficient ones can generate only 
one bit on each modular multiplication (n 2 steps). Blum, Blum and Shub ask the open 
problem of outputting even two bits securely. We state a simple condition, the XOR- 
Condition, and show that any generator satisfying this condition can output logn 
bits on each multiplication. We also show that the logn least significant bits of RSA, 
Rabin's Scheme, and the x 2 mod N generator satisfy this condition. As a corollary, we 
prove that all boolean predicates of these bits are secure. Furthermore, we strengthen 
the security of the x 2 mod N generator, which being a Trapdoor Generator, has several 
applications, by proving it as hard as Factoring. 



G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 193-202, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 



194 



1. Introduction. 

Recently, there has been a lot of interest in provably "good" pseudo-random 
number generators [10, 4, 14, 3]. These cryptographically secure generators are "good" 
in the sense that they pass all probabilistic polynomial time statistical tests. However, 
despite these nice properties, the secure generators known so far suffer from the handi- 
cap of being inefficient; the most efficient of these take n 2 steps (one modular multipli- 
cation, n being the length of the seed) to generate one bit. Pseudo-random number gen- 
erators that are currently used in practice output n bits per multiplication (n 2 steps). 
An important open problem was to output even two bits on each multiplication in a 
cryptographically secure way. This problem was stated by Blum, Blum & Shub [3] in 
the context of their x 2 mod N generator. They further ask: how many bits can be out- 
put per multiplication, maintaining cryptographic security? 

In this paper we state a simple condition, the XOR- Condition and show that any 
generator satisfying this condition can output logn bits on each multiplication. We 
show that the XOR-Condition is satisfied by the logn least significant bits of the x 2 -mod 
N generator. The security of the z 2 mod N generator was based on Quadratic Residuos- 
ity [3]. This generator is an example of a Trapdoor Generator [13], and its trapdoor 
properties have been used in protocol design. We strengthen the security of this genera- 
tor by proving it as hard as factoring. We also prove the XOR-Condition for logn 
least significant bits of RSA/Rabin Schemes. Our proofs are based on recent develop- 
ments in RSA/Rabin Scheme bit security. We present a history of these recent 
developments in the next paragraph. More recently, by a different proof Alexi, Chor, 
Goldreich & Schnorr [1] also proved the simultaneous security of logn least significant 
bits of RSA/Rabin Schemes. Previously, Long & Wigderson [7] showed how to extract 
logn bits at each stage from the generator of Blum and Micali [4]; however, this gain in 
efficiency is not enough to compensate for the extra time taken by this generator (0(n 3 ) 
steps for each stage). 

The RSA-bit security problem has not only yielded several valuable proof tech- 
niques, but its two year history is also revealing in how mathematical progress is made - 
with successive partial solutions, simplifications and changes in point of view. 

The first result on RSA bit security was proved by Goldwasser, Micali & Tong [6]. 
They proved that any oracle for RSA least significant bit (an efficent procedure which 
computes the least significant bit of the plaintext message when input the ciphertext) 
could be efficiently used to decrypt RSA messages, thus showing that RSA least 
significant bit is hard to compute unless RSA is easy to decrypt. However, the oracle 

was allowed to err on only — fraction of the inputs. 

logN 

The next breakthrough came with the "binary gcd method" of Ben-Or, Chor & 
Shamir [2], which has been fundamental to all future developments. This procedure to 
decrypt RSA, probes the oracle at pairs of points, to determine the least significant bits 
of small messages. Each pair of probes is correct with probability 1/2+ £, provided the 
oracle is correct on 3/4+ e fraction of inputs, where e is any positive constant. They also 
showed that with more accurate oracles (7/8+ e correct) for other RSA bits they could 
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decrypt RSA. 

At this stage it was not clear if even 3/4 security could be proved for the least 
significant bit. This question was resolved by Vazirani & Vazirani [12j. They showed 
that by guessing the least significant bits of loglogN random small messages (which can 
be done in polynomial time by considering all loglogN possibilities), they could random- 
ize the oracle probes thereby decrypting with a less-than-3/4 oracle. They also give a 
method for extending the proof of security to loglogN least significant bits and the xor's 
of all non-empty subsets of these bits. Goldreich [6] analyzed their combinatorial prob- 
lem exactly and showed that less-than-3/4 could be interpreted as .725 + e. 

In the next major development, Schnorr & Alexi used the strong Chernoff bound 
along with guessing least significant bits of loglogN random messages to obtain a decryp- 
tion procedure that used a single oracle probe for computing the least significant bit of 
small messages. Thus they proved 1/2+ e security for any constant €. However, this 
security was still not good enough for using RSA for direct pseudo-random number gen- 
eration - 1/2+ l/n f security was needed. 

By guessing loglogN most significant bits of only two random numbers, Chor & Gol- 
dreich [5] showed how to generate logN pairwise independent numbers, whose least 
significant bits were known. Thus they could ask the oracle logN pairwise independent 
questions. Then using the Chebychev inequality, they show that a 1/2+ l/n' oracle will 
suffice. 



2. Extracting Two Bits from the x 1 mod N Generator: 

The x 2 mod N generator [3j is the following: On input N, x 0 (where N is the pro- 
duct of two distinct primes each congruent to 3 mod 4, and x 0 is a quadratic residue 
mod N), it outputs b 0 b l b 2 ... where 6,- = parity (z;) and ar,- + , = x 2 mod N. Its security 
was based on Quadratic Residuosity. 

A variant of this generator outputs b { = location(x { ), where location(x) = 0 if 
x < (A r -l)/2, 1 if x > (N-l)/2. The cryptographic security of this generator was also 
based on Quadratic Residuosity [3]. However, the generator which extracts parity 
as well as location at each stage may not be cryptographically secure, because revealing 
parity{x i ) may make loeation(x i ) predictable. Blum, Blum and Shub conjecture that this 
generator is also cryptographically secure, and ask the open problem: how many bits can 
be extracted at each stage, maintaining cryptographic security? 

In this section we will prove their conjecture. In section 3 we will answer the open 
problem by giving a simple condition, the XOR-Condition. We will prove that logn 
bits (n = | N\) can be extracted at each stage from any generator satisfying this con- 
dition. We will also prove that the x 2 mod N generator as well as the generators based 
on RSA and Rabin's scheme satisfy this condition. 
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The following theorem will also give an intuitive idea for the general results of sec- 
tion 3, for which we will need to introduce some new definitions. 

The 2-Bit x 2 mod N generator on input N, x 0 (N and x 0 as before), outputs 
a o*o a i*i ••• where a,- = parity(x { ), and b { = location(x { ), z l+1 = x, 2 mod N. 

Theorem 1: The 2-Bit x 2 mod N generator is cryptographically secure. 

Proof: Suppose the 2-Bit x 2 mod N generator is predictable to the left. There are two 

cases: 

Case 1: It is predictable at an odd position, i.e. there is a probabilistic polynomial time 
procedure, P, which predicts 6_j 1 with probability 1/2 + e, given a 0 6 0 a 1 6j ... . Now we 
can use P to obtain loeation(x^}: given any x 0 , simply generate the sequence a 0 b 0 a 1 b l 
... , and use P to obtain 6_j = location(x^). Contradiction, since location is secure 
under the Quadratic Residuosity Assumption [3]. 

Case 2: It is predictable at an even position, i.e. there is a probabilistic polynomial time 
procedure, P, which predicts o_ t with probability 1/2 + e, given 6_ 1 a 0 6o a i^i ••• • Given 
z 0 , we can generate a 0 b o a l b l , but not 6_j. Notice that P can be arbitrarilly bad at 
predicting a_ t if it is not provided with the correct bit So instead we will use P to 

obtain two procedures, P l and P 2 , such that either P t has an —advantage in guessing 

2 

parity(x_i) or P 2 has an —advantage in guessing parity(x_^\ xor location(x_^). 

2 

Let « be the bit output by P on input Oa 0 b 0 a 1 b 1 , and v be the bit output on 
la 0 &o<ii&i . If « = v, P Y outputs «, else it outputs the flip of a fair coin. On the other 
hand, P 2 outputs the flip of a fair coin if « = v, else it outputs « (in this case, 
u = (0 xor a) = (1 xor v)). Notice the following facts: 

1) . On each input, x 0 , exactly one of the two procedures, P l and P 2 uses the output of 
P, and the other one flips a coin. 

2) . Whenever P gives the correct answer, so does the procedure using its output; the 
other procedure, of course, flips a coin. 

So the total number of correct answers output by both procedures is the number of 
correct answers output by P plus the number of correct answers output by the coin- 
flips. The fraction of total correct answers is (1/2 + f) + 1/2 = (1 + £). So at least 
one of the two procedures must be correct on 1/2 + e/2 fraction of inputs. In Theorem 
3, we will show that parity(x_{) xor location(x_ 1 ) is also secure, thus contradicting the 
existence of P l and P 2 and therefore P. 



z_! is the unique square root of x 0 (mod N), which is a quadratic residue. 
a_, = parity(x_{) and 6_ t = locationlx^). 
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3. The XOR- Condition & Relative Security of Bits. 

The difficulty in outputting two bits b^x) and b 2 (x) at each stage (and the 
corresponding core of the above proof) lies in showing that there is no procedure that 
has any advantage in outputting bit b 2 (x), even though it is given b^x) for free, i.e. in 
showing the relative security of b 2 , given b v In general, in order to output k bits 
securely at each stage from a pseudo-random number generator, the main fact to be 
proved is that for all i < k, there is no procedure that outputs bit 6 1+ given bits 
6i(z), ■ • • In this section we shall prove that the XOR-Condition suffices to 

prove the relative security of these bits. 

Blum & Micali [4] give sufficient conditions for using a one-way function and a 
boolean predicate for cryptographically secure pseudo-random number generation. In the 
past the security of boolean predicates (bits) has been proved by assuming the intracta- 
bility of the underlying one-way function (e.g. in proving the security of RSA least 
significant bits). There are several forms for these intractability assumptions (in terms 
of curcuit complexity, or Turing machine complexity, etc.). To make our theorems 
cleaner and independent of the nature of the intractability assumption, we shall in fact 
define the boolean predicate to be secure if the problem of inverting the underlying one- 
way function can be reduced in probabilistic polynomial time to the problem of comput- 
ing the boolean predicate with a non-trivial advantage. We will require the reduction to 
be done uniformly (i.e. by the same Turing machine, for all N). As a result, any reason- 
able intractability assumption for the underlying one-way function will translate into a 
similar security for the boolean predicate. Since this reduction process is the only 
known technique for proving bit security, the proposed simplification does not sacrifice 
generality for all practical purposes. 

First, we define formally the underlying one-way function: 

let N be a set of positive integers, the parameter values, and for each N £ N, let n = 
(N| and X N C {0,1}" be the domain. We will assume that a random element of Xjy 
can be generated. 

E N : Xtf -> X N is the one-way function with parameter N. 

b: (N,x) -> {0,1} is a boolean predicate computable in prob. poly. time. 

Definition: Oracle Of, ^ has an 1/2 + e advantage in computing the boolean predi- 
cate b, if for 1/2 + £ fraction of domain elements x G X N , O h N outputs b(x) on input 
E N (x). 

Definition: Boolean predicates i>i, --,&jfc(n) are inversion secure if for each t > 0 there 
is a Las Vegas Algorithm T that runs in prob. poly, time: 

T°^{i,E N (x)\ = x. 
where O ti iA r is a 1/2 + 1/n* advantage oracle for b ; with respect to N. 

Definition: Oracle has a 1/2 + e advantage for boolean predicate 6; relative to 

b l ,...,b [ _ l if for at least 1/2 + e fraction of x £ X N , 

0 N {E N (x),b l (x),...,b l _ 1 (x)\ = b t (x). 
The behavior of O jV is unspecified, and may be arbitrarily bad, if any of the l~l bits is 
incorrectly input. 
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Definition: b t is secure relative to b l ,...,b l _ l if for each t > 0, there is a Las Vegas 
algorithm T which runs in polynomial time: 
T°»[E N (x)] = x 

where 0 N is a 1/2 + 1/n* advantage oracle for 6; relative to i^...,^. 



Notice that T can use the oracle effectively only if it can guess correctly each of 
6j(x) • • • 6 f _j(ar). But in our case, these boolean predicates are already inversion 
secure. For this reason, proving relative security (i.e. the existence of T) is considerably 
more difficult than proving simple bit security. We now give the XOR-Condition, and 
show (in Theorem 2) how it yields a proof of relative bit security from simple bit secu- 
rity. 

The XOR-Condition: Boolean predicates b l • ■ ■ b k satisfy the XOR-Condition if the 
XOR of each on-empty subset of these predicates is inversion secure. 

Theorem: Let k(n) = O(logn). Let b v . . . be boolean predicates which satisfy 

the XOR-condition. Then for every i < k(n), 6 { is secure relative to b 1 ,...,b ; _ 1 . 

Proof: Suppose that is a 1/2 + l/n { advantage oracle for b { relative to 6j,....,6 t -_i. 
Let T be the efficient procedure in the definition of the XOR-Condition for b v ...,b k ^ u y 
Then T' is an efficient Las Vegas algorithm which uses the oracle Opj to invert Ejf (see 
explaination at the end of the procedure). 

T: On input N, i, E{x); 

d N <- Construct-Oracle[C>tf, i-1, l/n'J; 

Run T with oracle O N to invert Eff. 
end; 

Construct-Oracle: On input O^, j, e; 
If j = 0 then return Off. 
Else, let u = O^Eixlb^...^,^] 
v= O N [E{x) 1 b 1 ,...,b hl ,0]; 
Oracle 0 1 [E(x),b v ...,b } „ 1 ] = 

« if «=«, 
the flip of a fair coin otherwise 

Oracle 0 2 [£(i),6 1 ,...,6 ; -_i] = 

v if u^v, 
the flip of a fair coin otherwise' 

Sample the two oracles on 8e 2 logn random elements of X N , to determine the frac- 
tion of correct answers given by each. 
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If O i gives atleast 1/2 + e/4 fraction correct answers then 
returnfConstruct-OraclelOj, «/4]). 

Else return( Const™ ct-Oracle[C 2l */4])- 
end. 

T' first calls the recursive procedure Construct-Oracle. By a proof similar to that of 
Theorem 1 either there is an oracle having 1/2+ 1/2 n { -advantage for relative to 
&i ' - " b { _ 2 or there is an oracle having 1/2 + l/2n '-advantage for 6,_i XOR b { rela- 
tive to 6j • ■ b i _ 2 - Moreover, sampling the two oracles a polynomial (8n 2t logn) 
number of times, Construct-Oracle can determine with high probability (1- l/2logn) 
which of the two oracles has the advantage. Continuing this procedure i-1 times, 
Construct-Oracle will obtain, with probability > 1/2, a 1/2 + l/n t+ '-advantage oracle 
for the XOR of some subset of 6j • • • 6,-. T' can now use this oracle to invert E N . 



4. Proving the XOR-Condition, and Improving the Security of the 
x 2 -mod N Generator. 

In this section we state the theorems on the XOR-Condition, and briefly sketch the 
main ideas of their proofs. Detailed proofs will follow in the final paper. 

Theorem 3: The parity function of the ar 2 -mod N generator is as hard as factoring, i.e. 
for any t > 0, an oracle which has a 1/2 + n* advantage in guessing parity(x) on input 
i 2 mod N can be used to factor N. Here x is the unique square root of x 2 mod N which 
is a quadratic residue. 

By modifying the algorithm of [1], we show how to use the parity oracle to extract 
square roots mod N efficiently. The main difficulty is that the parity oracle gives the 
least significant bit of the square root which is a quadratic residue. Thus on query z 2 
mod N, if x is a quadratic residue mod N, the oracle will give lsb(x). Else, it gives the 
complement. In some sense the oracle gives the lsb(x) encrypted within the hard func- 
tion - quadratic residuosity. How can the oracle's answers be interpreted correctly? The 
key idea is that a parity oracle with a small advantage can be used to implement a resi- 
duosity oracle which is correct with overwhelming probability [3]. This residuosity ora- 
cle may be used to "decrypt" the answers of the parity oracle. 

This proves that the location function is also as hard as factoring since a 
1/2 + 1/n* oracle for location can be converted to a 1/2 + l/n ( oracle for parity: 
parity (x) = 0 iff location(x/2) = 0. 

Theorem 4: The function parity xor location of the z 2 -mod N generator is as hard as 
factoring. 
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We simply note that in the decryption algorithm [1], we already know the location 
of the numbers we query about. So the oracle for parity xor location is in effect giving us 
parity, which is sufficient for decryption. 

Theorem 5: For each non-empty subset S, of the loglogN least significant bits, of the 
i 2 -mod N generator: obtaining a 1/2 + l/n' advantage in guessing the XOR of these 
bits is as hard as factoring. 

The idea presented in [12] will suffice along with the decryption algorithm [lj. Let 
the most significant bit being considered in S be the ib 14 bit, k < loglogN. Instead of 
running the gcd algorithm on "small messages" in the interval [-eN,eN], we will choose 
the small messages in the interval [-ciV/2*"" 1 , eN/2 k ~ 1 ]. Now, for any x in this smaller 
interval, lsb(x)= 1 iff XOR2 k ~ l x =1 because the k-1 least significant bits of 2 i_1 are all 

0's. So, in order to obtain the lsb of a number in the interval [-eN/2 k ~ l , eN/2 k ~ 1 \, we 
simply multiply it by 2* _1 , and run the modified algorithm of Theorem 3. In a similar 
manner, we can prove the XOR-Condition for RSA and Rabin Scheme also: 

Theorem 6: For each non-empty subset S, of the loglogN least significant bits, of 
RSA/Rabin Schemes: obtaining a 1/2 + l/n' advantage in guessing the XOR of these 
bits is as hard as decrypting RSA/factoring. 



5. Going Beyond logn Bits. 

How many bits can we hope to extract securely on each multiplication? We first 
make two simple observations. Certainly not all n bits. Because then all boolean predi- 
cates of x will be secure even though E(x) is given. But, for example for RSA, we know 
that Jacobi Symbol(x) = Jacobi Symbol(E(x)), which is efficiently computable. 
Secondly, notice that in all the proofs, logn can be replaced by clogn, for any constant 
c. 

In proving bit security, we limited the reductions (algorithms to decrypt the one- 
way funciton, using oracle for the bit) to be probabilistic polynomial time. If the compu- 
tational complexity of the underlying one-way function is much more than a polyno- 
mial, then there is no reason to put this restriction. For example, if the intractability 
asssumption on the underlying one-way function states that its computational complex- 
ity is o(n' 0<,n ), then the reduction can be allowed 0(n l,,in ) time. In this case our proofs 
can be modified to show that lo^n least significant bits satisfy the XOR-Condition with 
1/2 + l/n'" 2 " security for the bits and their XORs. These lo^n bits can be output by 
a pseudo-random number generator, by a simple modification of the proof of Theorem 2. 
In general, if the the assumption on the complexity of the underlying one-way function 
is o(f(n)), then our proofs extend to showing that log(f(n)) bits can be securely output at 
each stage. For example, presently the fastest factoring algorithm runs in time 
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0(2^ nlo,n ) Q. So, if we assume /(n) = 2^, we can securely extract y/n bits oa each 
multiplication. 
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AN LSI RANDOM NUMBER GENERATOR (RNG) 



R. C. Fairfield, R. L. Mortenson, & K. B. Coulthart 
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25 Lindsley Drive 
Morristown, New Jersey 07960 

INTRODUCTION 

This paper describes a CMOS digital LSI device which generates a 
random bit stream based on the frequency instability of a free running 
oscillator. The output of the device is a truly random binary number; 
not pseudo random. 

The device was developed to be used, principally, in 
cryptographic systems as a source for cryptographic keys and/or 
initial values. Some cryptographic systems rely on pseudo random 
generator schemes as a source of keys and initial values but a 
cryptographically secure system demands the use of truly random 
numbers . 

DESIGN OBJECTIVES 

At the outset of the device development four design objectives 
were established. 

(1) The fundamental source of the random binary number had to be based 
on a natural statistical or probabilistic phenomenon. 

(2) A completely digital IC was desired. 

(3) The device should operate in a microprocessor controlled 
environment. That is, a microprocessor compatible interface 
had to be provided . 

(4) Means to run periodic checks of the circuitry had to be provided. 
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IMPLEMENTATION 



The fundamental probabilistic phenomena utilized on the device is 
the frequency instability of a free running oscillator. The use of 
this phenomena to generate truly random numbers is not new. The RAND 
Corporation used this phenomena to generate a table of a million 
random digits which it published in 1955 [1]. 

In the device under discussion here, a random bit stream is 
generated by digitally mixing two independent square waves in a 
positive-edge-triggered D-type flip-flop. In the implementation, a 
low frequency wave is used to clock the flip-flop and in so doing 
sample a high frequency wave which is applied to the flip-flop input 
data lead. The circuit is shown in Figure 1. 



F d- 



ffc" 



C 



F d 



HIGH FREQUENCY DATA INPUT 
LOW FREQUENCY CLOCK INPUT 
MIXER OUTPUT 



_TLTL— JU"— ms 



DIGITAL MIXER 

Figure 1 



The IC contains two on-chip oscillators. One produces a high 
frequency nonad justable 8 MHz square wave which can be used as the 
sampled signal at the data input. The second oscillator frequency is 
adjustable with external resistors and capacitors and can be used as 
the sampling signal applied to the clock lead of the mixer. The data 
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and clock signals can also be supplied from off chip sources. It is 
not recommended that the 8 MHz on-chip oscillator be used. Weak 
coupling or interaction between the two oscillators has been observed 
and this may affect the randomness of the number produced. The use of 
an off chip high frequency square wave oscillator, preferably crystal 
controlled, will substantially reduce any possibility of coupling. 
The use of an RC controlled oscillator for the sampling signal is 
favored over an LC or crystal controlled oscillator in this 
application because of the inherently lower Q of the frequency 
determining circuits . The result is higher noise and poorer spectral 
purity and thus larger period variations in the output waveform [2], 
C3]. 

If the high frequency signal has a 50% duty cycle and the low 
frequency clock has significant cycle to cycle period variation, each 
successively generated bit is independent and has equal probability of 
being a "one" or a "zero". What is meant by significant is defined 
below. Of course, neither of these conditions hold in general. Thus, 
deterministic circuitry must be used to eliminate bias caused by less 
than ideal signals. 

If the high frequency sampled square wave has something other 
than a 50% duty cycle there will be a bias toward either "one" or 
"zero" bits at the sampling D-type flip-flop output. This bias can be 
effectively removed if groups of samples are passed through an 
exclusive-or chain. Figure 2 shows an implementation which generates 
a single random bit by taking the exclusive-or sum of four stored 
bits . The data rate is reduced by four since bits are not reused . 
This circuit is implemented on the IC with the left most or first 
flip-flop performing the digital mixing of the two applied square 
waves . The bias correction achieved by such a circuit is given by the 
following. If the duty cycle of the high frequency square wave is p, 
the probability of obtaining a "one" as a sample is p while the 
probability of obtaining a "zero" is 1-p. However, if n independent 
samples obtained from a biased signal are passed through an 
exclusive-or chain, the probability that the bit at the output of the 
chain is "one" is given by 

P x ( I ) = 0.5-2 n ~'(p-0.5) n 

while the probability that the bit is a "zero" is given by 

P x (0)= 0.5 + 2 n_ '(p-0.5) n 
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Thus if the duty cycle of the high frequency square wave is 55% and 
the exclusive-or operation is performed over four samples, the 
probability of obtaining a "one" out of the exclusive-or chain is 

P„( I ) = 0.4 9 995 

while the probability of obtaining a "zero" is 

P„(0) = 0.50005 

In the above equations it can be seen that as n goes to infinity the 
probability approaches 0.5. 

PARITY FILTER 



HFCLK > 



JITTER 
CLOCK 




Figure 2 



The second bias or difficulty which arises stems from 
insufficient phase jitter or frequency fluctuations on the clock 
input. As previously stated, if the low frequency clock has 
significant cycle to cycle period variation, each successively 
generated sample is independent and an individual cannot accurately 
predict the state of a sample knowing the state of the preceding 
sample and the mean frequencies of the two signals generating them. 
Figure 3 and Table 1 show the probability of guessing a bit in 
sequence knowing the expected periods of the high and low frequency 
oscillators, the standard deviation of the low frequency oscillator's 
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period variations, plus the state of the previous bit. 
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Figure 3 



2 x S.D./Td PROB[Bi|Bi-l] 
*********** ************* 

2.00 0.50000+ 

1.50 0.500006 

1.25 0.500180 

1.00 0.502891 

0.75 0.525041 

0.50 0.617052 

0.25 0.797871 

0.20 0.837035 

0.10 0.913442 
S.D. = standard deviation of the low frequency 

period variation. 
Td = period of the high frequency oscillator. 

Table 1 

It is clear from Table 1 that if twice the standard deviation of the 
low frequency period variation is but a fraction of the high frequency 
oscillator period there is significant bit to bit correlation and 
individual bits can be guessed from the state of preceding bits. On 
the other hand, if the ratio of twice the standard deviation of the 
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low frequency period variation to the high frequency oscillator period 
is greater than 1.5 there is little bit to bit correlation. 

In general one does not get cycle to cycle period variations from 
the D-type flip-flop clocK such that the variations span 1.5 or more 
cycles of the data input signal. Thus, there will be sample to sample 
correlation between bits out of the flip-flop and knowing one sample 
and the mean frequencies of the input signals one can predict the 
state of the next sample with some degree of accuracy. As with the 
duty cycle bias the sample to sample correlation may be effectively 
removed through the use of exclusive-or circuits. The correlation 
correction is achieved as samples generated many clock cycles apart 
are exclusive-ored together. The circuit in Figure 4, which appears 
on the IC and is fed from the output of the parity filter shown in 
Figure 2, performs this task. 

SCRAMBLER CIRCUIT 

TON 5 STATE 
COW TEH 

MKOf BIT 



>k . 

KtUnPLElER ir 
0 1 g 1 4 



raw 

ACCESS 
REGISTER 



107 BITS 



H7B SHIFT 
REGISTER 



107 BITS 



107 BITS 



SHIFT I 1078 SHUT I X. 

iTER REGISTER -*(+)-> 



ID7B SHIFT 
REGISTER 



I07BITS 



X. RJ7B WT J< 



108 BITS 



rm shift 

RECISTER 



US35-5S2 QM 



TO BUB CCNP4RATTJR RUN UP TEST 

Figure 4 

The magnitude of the correlation correction stems from the Gaussian 
distribution model which can be used for the low frequency oscillator 
period variations. The Gaussian distribution has the property that a 
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change in the random variable (the period) yields a like change in the 
standard deviation. This linear property has been experimentally 
verified in the case of the on-chip oscillator. If we consider 
samples taken ten cycles apart, as opposed to successive samples, the 
standard deviation of the tenth clock edge with respect to the first 
clock edge is tenfold the standard deviation between successive clock 
edges. Thus, samples taken many cycles apart have low correlation and 
the lower the correlation of the samples passing through an 
exclusive-or network, the lower the probability of predicting the 
state of the exclusive-or output with any degree of certainty. The 
spacing of the first five register samples which are exclusive-ored in 
the circuit of Figure 4 is shown in Table 2. 



SCRAMBLER REGISTER CONTENT AFTER 26S0 SAMPLES 

********* ******** ******* ***** **** ******* 

REGISTER NUMBER CONTENT 

******** ****** ******* 

1 307+736+1700+2129+2558 

2 413+842+1271+2235+2664 

3 90+519+948+1377+1806 

4 625+1054+1483+1912+2341 

5 196+1160+1589+2018+2447 

6 302+731+1695+2124+2553 

7 408+837+1266+2230+2659 

8 85+514+943+1372+1801 

9 620+1049+1478+1907+2336 

10 191+1155+1584+2013+2442 

11 297+726+1690+2119+2548 

12 403+832+1261+2225+2654 

13 80+509+938+1367+1796 

14 615+1044+1473+1902+2331 

15 186+1150+1579+2008+2437 

16 292+721+1685+2114+2543 

107 308+737+1166+2130+2559 



The symbol + stands for an exclusive-or operation. 



Table 2 
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The table should be read as follows: After 2680 samples have been 
input to the scrambler, the content of scrambler register one is the 
exclusive-or sura of the 307th, 736th, 1700th, 2129th, & 2558th 
samples. As is evident from Table 2, the registers in the scrambler 
contain the exclusive-or sum of samples generated 429 or 964 clock 
cycles apart or the exclusive-or sum of independent samples. Also 
upon examination of registers 1 and 107 it is apparent that pairs of 
successively generated bits do tend to accumulate in pairs of 
registers. However, this pair accumulation is not complete in that 
one pair of bits in registers 1 and 107 are samples which are 
generated 534 clock cycles apart. Samples generated 534 cycles apart 
are independent. Looking down the register contents we see that the 
closest correlation exists between registers spaced five apart since 
they contain pairs of samples all of which are generated five clock 
cycles apart. 

One item to note is that as signals feed into the scrambler and 
are exclusive-ored with other samples, the duty cycle bias correction 
is enhanced. Actually, the parity filter shown in Figure 2 is not 
necessary and if it were removed from the IC, the generation and 
accumulation of a random number in the scrambler circuit would occur 
four times faster . 

EXPERIMENTAL RESULTS 

The effects of frequency instabilities on the digital mixing 
operation is best illustrated through the digital mixer transfer 
function shown in Figure 5 . At the output of the mixer it is most 
appropriate to speak of output sequency as opposed to the output 
frequency. One can speak of the mixer output frequency only in the 
sense of the fixed number of transitions which occur in a given period 
for, in general, the transitions are not evenly spaced in time. Thus, 
we speak of output sequency or the output patterns generated. As 
evident from Figure 5, the transfer function of the digital mixer is a 
periodic function with period equal to the frequency of the clock 
input. The output sequency varies from: a steady string of "ones" or 
"zeros" when the data lead frequency is an integral multiple of the 
clock; to the most rapidly varying sequence of alternating "ones" and 
"zeroes" which occurs when twice the data lead frequency is an odd 
integral multiple of the clock frequency. At other data lead 
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frequencies, different patterns are generated. 
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In the presence of clock lead frequency or period fluctuations, the 
digital mixer output sequency fluctuates. In the current application 
one would like the frequency fluctuations to be large enough to cover 
all possible output patterns. Of course, this in general will not 
occur. To determine what will occur one must know the extent of the 
fluctuations of the oscillators being used. Two types of parameters 
are generally of interest in describing oscillators: the short term or 
instantaneous frequency variations and the long term frequency drift. 
Figure 6 shows the experimentally measured (short term) fluctuations 
of the on-chip RC oscillator at two different frequencies. Figure 7 
shows the effects of the measured low frequency period variations on 
the output sequency given a data lead frequency in the vicinity of 8.1 
MHz. In Figure 7, the mixer transfer characteristics for the 
experimentally measured clock oscillator frequencies are plotted about 
the high frequency data lead operating point. The solid lines 
represent the mixer characteristic with the clock frequency set to its 
nominal value minus the standard deviation and the dashed lines 
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represent the characteristic for the clock set to its nominal value 
plus the standard deviation. For a completely stable high frequency, 
only a portion of the possible output patterns are covered by the 
frequency variations. For the 3.674 KHz signal, approximately 7% of 
the possible patterns will be generated while for the 1.125 KHz 
signal, approximately 23% of the patterns will be generated. This, of 
course, indicates that the lower clock frequency is more desirable for 
the generation of the random number . Figure 8 shows the long term 
drift of the on-chip RC oscillator mean frequency when operating about 
1.125 KHz. 
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This variation translates to an almost 700 Hz shift in the transfer 

function about the 8.1 MHz clock. Thus, over a long period of time 

(hours) one can expect the operating point to be uniformly distributed 
over all possible patterns. 

Figure 9 shows the power spectrum of the data coming out of the 
IC's D-type flip-flop mixer. 



AVERAGE POWER 



OSCILLATOR 
CHARACTERISTICS 




Figure 9 



Data was broken up into blocks of 1024 nonoverlapping samples and the 
power spectrum was estimated and averaged over a file of approximately 
a quarter of a million points. One sees that the power is confined to 
a band of frequences (sequencies) about some mean. Figure 10 shows 
the power spectrum after exclusive-oring adjacent samples and 
scrambling groups of five bits as the scrambler circuit of Figure 4 
would. One sees that after scrambling the energy is uniformly spread 
over all frequencies as it should be for a truly random bit stream. 

Figure 11 shows the power spectrum of a second set of D-type 
flip-flop mixer samples. This time the spectrum is centered about a 
different mean frequency and the deviation from the mean is smaller. 
Also, one sees a d.c. term indicating a local bias (within 1024 
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samples) in the data toward either a "one" or a "zero". Figure 12 
shows the data after adjacent bits are exclusive-ored and scrambled. 
Note, a d.c. component is still present. This component is removed 
with additional scrambling of bits. In actual IC operation, each 
register in the scrambler will contain the exclusive-or sum of a 
minimum of nine samples before the user can remove a random number 
from the device. This amount of scrambling removes the d.c. component 
seen in Figure 12. Figure 13 shows the effect of scrambling five bits 
without first exclusive-oring adjacent terms. Note that there is no 
d.c. term in this spectrum. This indicates that the IC would perform 
better if adjacent bits were not exclusive-ored before they were fed 
into the scrambler. 

RNG INTEGRATED CIRCUIT FEATURES 

1. 8 bit bidirectional Data Bus. 

2. Separate Read (RD~) , Write (WR~) and Chip Select (CS~) inputs. 
Note: The ~ is used here and in the following text to designate 
the complement or inverse of a signal . 

3. 3 bit input Address Bus. 

4. Generation of a 536 bit random number accessible in sixty-seven, 
eight bit bytes. 

5. Elementary randomness check via internal 4 bit "run-up" test, 
during which time a random number is accumulating in the 
scrambler. External access to statistics generated, i.e., not 
just a pass fail test. "Run-up" test limits programmed through 
the host processor. This test may be used to verify the 
internal circuitry. 

6. Internal verification that the data generated and stored in the 
RNG is the same as the data appearing on the data bus during a 
microprocessor read of the device. 

7. Use of on-chip oscillators or external signals. 

8. Output flags. Data Ready and Alarm, may be read from the data 
bus or on independent output pins. This enables either 
processor interrupt or processor polled systems to be 

' configured. 
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RNG OPERATION 

The block diagram of the RNG is shown in Figure 14. The device 
is configured to appear as a standard microprocessor peripheral . 
There are eight internal registers for control and/or status 
reporting. All of these registers may be read. The Upper and Lower 
Limit Registers, used in a "run-up" test, plus the Status/Command 
Register control device operation and must be written to, by the host 
processor, before proper operation can begin. 

Following device initialization by the controlling processor, 
random number generation is initiated with a master reset pulse. 
Ensuing this master reset, random bits are generated and fill the 536 
bit (67 byte) Random Data Byte Register. Following the initial fill, 
a "run-up" test (described below) is executed on the last four bits in 
the shift register. If the test passes, the Data Ready flag goes 
active and the host processor can address the Random Data Byte 
Register to read the 67 bytes . At the end of the sixty-seventh read 
pulse, the device automatically behaves as if a new master reset pulse 
was received. If the "run-up" test fails, the Data Ready flag remains 
inactive, the Alarm flag goes active and any attempt to read the 
random data bytes is inhibited . The alarm condition remains active 
until a Master Reset is issued. Access to the Random Data Byte 
Register continues to be denied until a "run-up" test is passed. 

During any read operation of the random data bytes, the number 
output to the data bus is checked against the number stored in the 
shift register and a Bus Error flag goes active if there is any 
discrepancy. This flag state may be read directly from the 
Status /Command Register or on the output Alarm pin; it indicates a 
catastrophic condition due to hardware failure. 

RUN-UP AND SELF TEST 

During a run-up test the last four bits in the shift register are 
compared to the output from a 4 bit Pattern Counter. If both bit 
patterns match, an Event Counter is incremented. At the end of one 
thousand non-overlapping four bit tests on a fixed pattern, the result 
accumulated in the Event Counter is compared to the contents of the 
Upper and Lower limit registers. If the event count is outside the 
stored limits the test fails. It takes approximately 20 seconds to 
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execute a "run-up" test with the low frequency jitter oscillator set 
to 1 KHz. If a different frequency is used, be it from the internal 
or an external source, the testing time may be computed by multiplying 
the Jitter oscillator period by 20,096. At the end of a "run-up" 
test, every scrambler register location will be the exclusive-or sum 
of either nine or ten data bits coming from the parity filter. 

If the random bits are independent with P ( 1 )=P ( 0)=0 .5 the 
probability of any 4 bit pattern is simply 0.0625 and the expected 
event count for 1000 samples is 62.5. The event count has a binomial 
distribution with a standard deviation of 7.65. Using the normal 
approximation to the binomial distribution, the probability of a test 
failing can readily be computed. For example, if the limits are set 
at plus and minus twice the standard deviation, the probability of the 
test failing is 0.0456 (taken from a table of values of the Standard 
Normal Distribution Function). At plus and minus three times the 
.standard deviation, the probability of the test failing is 0.0026. In 
the device structure, the upper and lower limits are entered and 
appear in registers as hex integers. This test will distort the 
random numbers coming out of the device by eliminating patterns having 
very low probability. To prevent this, the upper limit register can 
be loaded with FF (255) and the lower limit register with 00. With 
these limits, the test will never fail. The run-up test may be used 
to completely test the deterministic circuitry by using the "Alarm 
Test" circuitry explained in the next section. 

At this point it is worth talking about oscillator failure and 
its detection. If the low frequency oscillator were to fail, device 
operation would halt since that oscillator is used to clock the entire 
chip. The Data Ready flag would never go active. If the high 
frequency oscillator were to fail either high or low, the output of 
the parity filter would be all zeroes. Hence, to check for a high 
frequency failure the run-up test may be used with the limits set to 
01 and FE (254). A master reset must be issued before running the 
test in order to set the scrambler register to zero. If the 
oscillator were stuck, any of the 16 possible patterns would fail. 
The chance of a fully operating device failing under these conditions 
is 

I -6.22 x id* 6 , (8o-) 

Therefore, it may be a good idea to normally operate the device in 
this manner . 



221 



REGISTERS 

There are eight addressable registers . Figure 15 defines data 
port output during a register read operation. 

RANDOM NUMBER GENERATOR 
READ OPERATION 
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Figure 16 defines data port input during a write operation. 
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1. Address 0 selects the read only Random Data Byte Register. 
Sixty-seven read pulses empties the shift register. After 
emptying the shift register the "run-up" test cycle begins 
again. If less than 67 read pulses are input, the device will 
remain inactive waiting for the remaining pulses unless a Master 
Reset is issued. Addressable register 6 is a down counter and 
keeps track of the number of random bytes remaining in the shift 
register . 

2. Address 1 selects the read/write Status /Command Register and 
must be written to, before certain device operations can begin. 

A. Bit 0 of the Status/Command Register is a read only, 
active low. Data Ready flag (DRDY~) used to indicate a 
"run-up" test has passed and a 67 byte random number is 
stored in the Random Data Byte Register (Address 0). This 
flag remains active until: all 67 random data bytes have 
been read, a bus error is detected, or a Master Reset is 
issued. This information is also available on the Data 
Ready output pin . 

B. Bit 1 of the Status/Command Register is a read/write, 
active high, Master Reset command. If active, a Master 
Reset condition exists until this bit is cleared by 
pulsing the external Master Reset pin or by writing a "0" 
to this bit. A master reset clears the scrambler. 

C. Bit 2 of the Status /Command Register is a read/write, 
active high. Free Run command (FR) . In the inactive 
state, the device executes a single "run-up" test and 
halts operation. If the test passes, the Data Ready flag 
goes active and all 67 random data bytes must be read (or 
a Master Reset issued) before a second "run-up" test is 
begun. If Bit 2 is set active, the device continually 
executes "run-up" tests. The Data Ready flag will go 
active after the first "run-up" test passes and remain 
active until a failure. Once this flag has gone active, 
data can be read from the Random Byte Register. During 
the reading of the Random Byte Register, "run-up" tests 
temporarily cease. That is, with the first read pulse 
accessing the Random Byte Register, the current "run-up" 
test halts. After the sixty-seventh read pulse which 
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empties the Random Byte Register, "run-up" tests start 
anew. When a failure occurs the Alarm flag goes active, 
the Data Ready flag goes inactive, and any attempt to read 
from the Random Byte Register is inhibited. An Alarm 
condition can only be cleared by a Master Reset. Bit 2 
can be set at any time during chip operation. An external 
Master Reset pulse clears bit 2, but an internal Master 
Reset has no affect. 

Bit 3 of the Status/Command Register is a read/write, 
active high. Alarm Test command (ALRMT) . If active, a 
known sequence of zeros and ones is automatically loaded 
into the Random Byte Register producing known pattern 
counts for the "run-up" test. The counts which are 
generated are given in Table 3 . 
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This test is used to check the "run-up" and alarm 
circuitry. It can also be used to produce a known pattern 
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in the Random Byte Register which can be read out if 
desired. This pattern is also listed in Table 3. In 
order for this test to operate correctly the device must 
be first cleared with the internal Master Reset command 
(set bit 1). Then, on a subsequent write cycle, the 
internal master reset command bit must be cleared 
simultaneously with the Alarm Test bit being set. Bit 3 
is cleared with an external Master Reset (internal Master 
Reset has no affect) . 

E. Bit 4 of the Status /Command Register is a read only, 
active high. Alarm flag (ALRM) . If active, a "run-up" 
test has failed. An active Alarm flag will inhibit device 
operation and can only be cleared by a Master Reset. This 
information is also indicated by an active Alarm flag pin. 

F. Bit 5 of the Status/Command Register is a read only, 
active high. Bus Error flag (BE). If active, there has 
been a discrepancy between the data in the Random Data 
Byte Register and the data appearing on the eight bit 
bidirectional Data Bus during a read of the register. An 
active Bus Error flag will inhibit device operation and 
can only be cleared by a Master Reset. This information 
is also indicated by an active Alarm flag pin. 

G. Bits 6 and 7 of the Status/Command Register are unused and 
always low. 

Address 2 selects the read only Event Count Register. This 
register stores the hex event count from the most recently 
completed "run-up" test. This is an eight bit register and the 
maximum count it can display is decimal 255. A reading less 
than 255 (hex FF) indicates the actual event count obtained 
during the last "run-up" test while a reading of 255 indicates 
an event count of 255 or more. 

Address 3 selects the read only Pattern Register. This register 
stores the 4 bit hex pattern associated with the most recently 
completed "run-up" test. At the completion of every successful 
"run-up test, the pattern counter is incremented. If the "run- 
up" test fails, the pattern is not changed and the test is 
repeated following a Master Reset. Master Reset does not affect 
this counter. In power up this counter assumes an arbitrary 
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state and increments from there . 

5. Address 4 selects the read/write Lower Limit Register. This 
register stores the hex lower limit associated with the "run-up" 
test and must be written to before prcper operation of the 
device can begin. 

6. Address 5 selects the read/write Upper Limit Register. This 
register stores the hex upper limit associated with the "run-up" 
test and must be written to before proper operation of the 
device can begin. 

7. Address 6 selects the read only Random Data Byte Counter 
Register. This down counter register keeps track of the number 
of random bytes left in the shift register (Address 0). 
Following an active Data Ready signal, this register is preset 
to hex 43 (67 decimal). After the 67 random data bytes have 
been read, this register is at hex 0 and remains there until the 
next active Data Ready signal. 

8. Address 7 selects the read only Direct Access Register. This 
register along with the TCLK pin allows the user to continually 
monitor the random data byte at the input to the scrambler. The 
random data is latched into this register on the rising edge of 
the TCLK signal and it can be read after this edge. If the 
internal random bit generator is used at lKHz, the TCLK period 
is approximately 32 milliseconds. Using a different jitter 
frequency or an external source, the TCLK period may be computed 
by multiplying the Jitter oscillator period by 32. 

Data read from this register has not been subjected to the 
bit scrambler and may have high bit to bit correlation. Thus, 
this data should not be used in place of data obtained from the 
Random Byte register as a random number but should only be used 
for device monitoring and/or testing. 

PIN DESCRIPTION 



Figure 17 shows the RNG pin configuration. 

1. VDD This is the +5 volt power supply input. 

2 . GND Ground . 
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MR~ Master Reset is used to clear the RNG when the Chip Select 
line is active. The control bits in the Status/Command Register 
(Address 1) are all set inactive, the Event Count Register is 
set to zero, the scrambler is cleared, a.id a test sequence is 
begun on the rising edge of the reset pulse. The Pattern 
Register (Address 3), Lower Limit Register (Address 4), and 
Upper Limit Register (Address 5) are unaffected. 
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RD~ Read is an active low input used with the Chip Select, the 
Address Bus, and the Data Bus to read one of the eight internal 
registers. The data appears on the bus following the falling 
edge of the pulse and remains on the bus as long as RD~ is low. 
The Write input should be held inactive during a Read pulse. 

WR~ Write is an active low input used with the Chip Select, the 
Address Bus, and the Data Bus to write to one of three internal 
registers. The data is latched into the addressed register on 
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the rising edge of the Write pulse. The Read input should be 
held inactive during a Write pulse. 

6. A2 - AO The Address Bus input is used to select an internal 
register for a read or write operation. 

7. DB7 - DBO The Data Bus, an eight bit bidirectional port, is 
used to read data from or write data to the internal registers. 
The output buffers driving the eight bit bus are in a high 
impedance state if either CS~ or RD~ are inactive. 

8. CS~ Chip Select is an active low input. When active MR~, RD~, 
and WR~ are enabled; when inactive these inputs are disabled. 

9. ALARM ~ Alarm flag is an active low output used to indicate 
either a "run-up" test failure or a bus error. Both of these 
conditions may also be read from the Status /Command Register 
(Address 1). An active Alarm flag may only be cleared by a 
Master Reset. 

10. DRDY~ Data Ready flag is an active low output used to indicate 
a "run-up" test has passed and a 67 byte random number is stored 
in the Random Data Byte Register. This flag may also be read 
from the Status/Command Register (Address 1). Following the 
rising edge of the sixty-seventh RD~ pulse, with the Random Data 
Register addressed (Address 0), the DRDY~ flag goes inactive. 

11. TCLK Test Clock is an output used with the Direct Access 
Register to monitor the random data at the input to the Random 
Data Byte Register. The random data is latched into the Direct 
Access on the rising edge of the TCLK signal and it can be read 
after this edge. Using the internal random bit generator (with 
jitter osc. set to lKHz), the TCLK period is approximately 32 
milliseconds. Using a different oscillator frequency or an 
external source, the TCLK period may be computed by multiplying 
the Jitter oscillator (JIT ) Register period by 32. 

12. HFOS This pin controls a switch that determines the high 
frequency source for the chip: when HFOS is "0", the internal 
high frequency oscillator is used (about 8MHz); when HFOS is 1, 
an external oscillator is expected at the HFO pin. It is 
recommended that an external high frequency square wave be used 
for critical applications (possibly the system clock) . 
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13. HPO This pin is bi-directional and serves two purposes: when 
HFOS is "0", HFO serves as an output for viewing the internal 
high frequency oscillator; when HFOS is 1, HFO serves as an 
input for an external high frequency oscillator. 

14. JITS This pin controls a switch that determines the jitter 
input source for the chip: when JITS is "0", the internal 
jitter oscillator is used; when JITS is 1, an external 
oscillator is expected at the JIT pin. 

15. JIT This pin is bi-directional and serves two purposes: when 
JITS is "0", JIT serves as an output for viewing the internal 
jitter oscillator when JITS is 1, JIT serves as an input for an 
external jitter oscillator. 

16. BI This pin monitors the output of the first sampling D-type 
flip-flop at the front end of the parity filter. HFO is the 
data into the positive-edge-triggered flip-flop and JIT is the 
clock . 

17. K0, Kl, K2 These leads are used to attach the external resistor 
and capacitor which control the frequency of oscillation of the 
on-chip jitter oscillator. The frequency of oscillation is 
approximately given by 

f = 1/(2. 2RC) 

The resistor is connected between K0 and Kl while the capacitor 
is connected between K0 and K2. 

18. TEST PINS used for manufacture purposes: MTEST This pin should 
always be grounded when in normal use. This is only used for 
manufacturing tests. TP0,TP1,TP2 These are only used for 
manufacturing tests and should remain floating since they are 
outputs . 

CONCLUSIONS 

An LSI CMOS random number generator which generates a truly 
random binary number has been described. The fundamental mechanism 
generating the random bit stream is based on a previously documented 
physical phenomenon and this paper has tried to quantify the magnitude 
of the parameters governing device performance. Statistical tests 
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have been run on device output and no problems have been observed for 
sampling oscillator frequencies (Fc) below 2 KHz. Although it takes 
almost 20 seconds to generate a 67 byte number when a 1000 Hz sampling 
clock is used, the generation can be done in the background after 
power-up or during a session so that keys and/or initial values are 
available on request . This is the first integrated device of its type 
that we are aware of and it should solve the problem of generating 
cryptographic keys and/or initial values in cryptographic systems. 
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ABSTRACT 

A generalized linear threshold scheme is introduced. The new scheme generalizes 
the existing linear threshold schemes. The basic principles involved in the con- 
struction of linear threshold schemes are laid out and the relationships between the 
existing schemes are completely established. The generalized linear scheme is used 
to provide a hierarchical threshold scheme which allows multiple thresholds necessary 
in a hierarchical environment . 

INTRODUCTION : 

The protection of important information is an age old problem. In any scheme 
devised to protect information, care has to be taken to ensure that the information 
does not get lost, destroyed, or into wrong hands, and at the same time the scheme 
should be efficient. A simple solution to protect the information from loss or de- 
struction, is to make multiple copies of the information and distribute the copies. 
But with multiple copies the probability that the information will get into wrong 
hands, increases and the simple solution becomes unacceptable. The question of pro- 
tection of information has received a lot of attention in recent years because of the 
proliferation of computers into areas such as electronic mail, electronic fund trans- 
fer, and storage of information. 

There have been several schemes, called cryptosystems , developed in the past to 
protect information. A very important and interesting class of cryptosystems called 
the public key cryptosystems came into existence in the seventies. The important 
concept underlying the public key cryptosystems is to create a cryptosystem such that 
the knowledge of the encoding key does not lead to the computation of the decoding key 
in a reasonable amount of computer time. This enables the public key cryptosystems 
to make the encoding key public and also solve the problem of electronic signature. 
The reader is referred to [Diffie 76], [Rivest 78] for discussion of the public key 
cryptosystems. In 1979, a different type of protection scheme, called the threshold 
scheme 1 was introduced independently by Blakely and Shamir. The important idea under- 
lying the threshold scheme is to create "shadows"^ of the message (secret) such that 

''The other commonly used names for threshold schemes are key safeguarding schemes and 
secret sharing schemes . 

The term "shadows" was originally introduced by Professor Blakely in [Blakely 79]. 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 231-241 1985 
© Springer- Verlag Berlin Heidelberg 1985 
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unless a certain number (called the threshold) of "shadows" are not available the 
message (secret) cannot be retrieved. Discussion of the threshold schemes is found 
in [Blakely 79] , [Shamir 79] . Several other threshold schemes have been introduced 
since then. 

This paper focuses on four of the existing threshold schemes [Blakely 79], [Sha- 
mir 79], [Bloom], [Karnin 83]. It is shown that the four schemes are founded on 
common principles derived from linear algebra and for this reason we will refer to 
these four schemes as linear threshold schemes. A generalized linear threshold scheme 
which subsumes the various threshold schemes is presented. The generalized threshold 
scheme extracts the essence of the linear threshold schemes, making transparent the 
basic principles. 

Roughly speaking a generalized linear threshold scheme works as follows. A secret 
is represented by a scalar and a linear variety is chosen to conceal the secret. A 
linear functional fixed in the beginning, and known to all trustees is used to reveal 
the secret from the linear variety. The n shadows are hyperp lanes containing the 
linear variety. Moreover the hyperplanes are chosen to satisfy the condition that 
the intersection of less than t (t <_ n) of them results in a linear variety which 
projects uniformly over the scalar field by the linear functional used for revealing 
the secret. The number t is called the threshold. Thus as more shadows are known 
more information is revealed about the linear variety used to keep the secret, how- 
ever, no information is revealed until the threshold number of shadows are known. 

Karnin et al show in [Karnin 83] that Shamir's, and Blakeley's schemes are special 
cases of their threshold scheme. It is shown here that with the exception of Shamir's 
scheme the remaining three threshold schemes are equivalent to each other and explicit 
algorithms are presented to convert one scheme to another. The Shamir's scheme is a 
specialization of the remaining three schemes and all the four schemes are speciali- 
zations of the generalized linear threshold scheme. Also a much simpler proof of 
perfect security compared to [Blakely 81] is presented. This proof nicely explains 
the common mechanism used for perfect security in various linear threshold schemes. 

The generalized linear threshold scheme allows linear varieties of positive 
dimension to conceal the secret. This fact is utilized in constructing a hierarchical 
threshold scheme. The hierarchical threshold scheme uses a chain of linear varieties 
to keep a secret and allows multiple thresholds for hierarchy of trustees. 

2. DEFINITIONS AND PRELIMINARY RESULTS 

In this section some preliminary results and definitions are discussed. This 
material will be used in the construction of the generalized threshold scheme and 
also in the proofs to show that other threshold schemes are specializations of the 
generalized threshold scheme. Some of these are standard results but they are in- 
cluded here for the sake of completeness and to fix the notation. The interested 
readers may look at [Kuiper 65] for further discussion. 
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DEFINITION: A threshold scheme is a process which coverts a given number x called 
the "message" to n other numbers v ^' s called the "shadows" which satisfy the property: 
there exists a number t (t ^ n) called the threshold such that x can be retrieved 
if any t of the n "shadows" are known, but less than t "shadows" reveal no information 
about the message. More specifically such a threshold . scheme is called t out of n 
threshold scheme. 

Using the entropy function H from [Shannon 48] we can state the requirements in 
the threshold scheme as 

(i) h( x | y ±i , y i2 ) = 0 

(ii) H(x) = H(x I y. ,y, ,..y, ) 
i l x 2 ^t-l 

for an arbitrary set of t indices . . ,± } . 

Let k denote a finite field and k n denote the set consisting of n-tuples over k. 
The set k n is a vector space over k of dimension n in a natural way. The set k n is 
also called an af fine space over k and the individual n-tuples are referred to as 
the points of the affine space. 

DEFINITION: A subset S of k n is called an affine variety of k n if there exist a 
finite set f^x^.Xj x Q ) , i = l,2,..,m, of polynomials in n variables such that 

S - { (a, .a., . . ,a ) e k 11 I f.(a.,a,,..a )=0 for i=l,2,..,m.} 
1 Z. n 1 i 1 2, n 

The equations f .^(x^ ,x,, , . . = 0 are called the defining equations of the affine 

variety S. 

DEFINITION: An affine variety is called a linear variety if all its defining equations 
are linear. 

DEFINITION; A linear variety is called a homogenous linear variety if all its defining 
equations are homogeneous. 

Given a linear polynomial f (xj ,x 2 , . = b^b^-rt^x^. ,+b^x^, we represent it by 

the vector (b Q ,b^ , . .b^) in k n+1 , representing the coefficients of f. We will identify 
a linear polynomial f (x^ ,x 2 , . . .x^) with the vector representing its coefficients. 

DEFINITION: Given a linear variety S, define 

E(S) = {fek n+1 | f(a 1 ,a 2 ,..,a )-0 for all ^ ,a 2 , . . .a^) e S> . 

E(S) is a vector subspace of k n+ * . 

DEFINITION: Given subsets S and W of k" and vector c in k" define S = c-HJ if 
S = (v e k n j v = c+w for w e W} . 
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The function dim( ) is used to denote the dimension of a vector space. 

LEMMA 1: Given a linear variety S of k n , there exists a vector c = (c^.Cj,--^) and 
a vector subspace VI of k n such that 
(i) S = c + w 
and 

(ii) dim(W) + dim(E(S)) - n. 

Proof : The proof follows from the Gaussian elimination process and other standard 
arguments from vector space theory. 

DEFINITION: For a linear variety S = c+W, define dim(S) to be dim(W) . 

NOTATION: Given a linear variety S, the notation S = w + W indicates that w is a 
vector and W is a vector subspace of k n . 

LEMMA 2: Let = Wj+Wj^ , and S 2 = w 2 +W 2 be linear varieties of k". Then S x 0 S 2 , is 
either empty or else it is a linear variety such that f) S 2 = w + W where W contains 

w x n w 2 . 

Proof: The proof follows from standard vector space arguments. 

DEFINITION: Given vector subspaces and W 2 of k n , + W 2 is defined as the vector 
space where 

W, + W„ = {v £ k n ! v = w,+w 0 for w. e W. for i-1,2.} 
12 ' 1 2 i l 

The following is a standard result from the vector space theory. 

LEMMA 3: If and W 2 are vector spaces of k n then 
dim(Wj+W 2 ) = dim(W 1 )+dim(W 2 )-dim(W i n W 2 ) . 

DEFINITION: If S is a linear variety of k" such that dim(E(S)) = 1 then S is called 
a hyper plane. 

LEMMA 4: Let S=w+W be a linear variety and t = dim(E(S)). Let ^.^....H^ be hyper- 
planes containing S. Then, 

m 

(i) If m < t then C\ H. strictly contains S, 
i=l 1 

m 

(ii) If D H. = S then m > t. 
i=l x - 

Proof: Note that (ii) clearly follows from (i) because EL contains S for i-l,2,..,m. 

Let T = A H . Clearly E(T) = E(H, )+E(H„) + . . ,+E(H ). By repeated applications of 
. i i z m 
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Lemma 3 it follows that dim(E(T)) <_ m. If m < t then it follows from Lemma 1 
that dim(S) < dim(T) , thus T strictly contains S. 

DEFINITION: Let S be a linear variety and t = dim(E(S)). The hyperplanes H^H^..,!^ 

for m >_ t, are said to be in general position with respect to S, if the intersection 
of any t of them is S. 

DUALIZATION PRINCIPLE: Let V be a vector space of dimension n over the base field k. 

Let V be the set of linear functionals on V then V itself forms a vector space of 

n 

dimension n called the dual space of V. The space V can be identified with k as 
follows : 

Fix a basis of V. Then for every linear functional L on V there exist a unique vector 
(a^ .a^. . . .a^) in k n such that for every v in V, 

L(v) = a,v.+a,v,+ +a v , 

1 i £ t n n 

where (v^.v^, . . .v^) is the representation of v with respect to the fixed basis of V. 
For every L belonging to the dual space V we identify it with the vector (a^ .a^ , . . ,a n ) 
in k D as described above. 

DEFINITION: Given a vector v belonging to a vector space V and an element a of k, 
define 

H(v,a) =(L £ vjL(v)=a> . 

LEMMA 5: Given a vector v in V and an element a in k the set H(v,a) is a hyperplane 
in V. 

Proof: Let v="/v^ .v^, . . .v^) be the representation of v with respect to a fixed basis 

of V. Then by the dualization principle H(v,a) can be identified with the set 

{ (a, ,a_ , . .a ) e k n ) a. v +a„v +. .+a v = a} 
1 z n ilzz nn 

Thus E(H(v,a)) is a vector space of dimension one, generated by the vector 

(-a,v^ ,V£ , . . ,v n ) and so H(v,a) is a hyperplane. 



LEMMA 6: Let V be a vector space of dimension n. Let v^ for i=l ,2, . . ,m,m >_ n, be 
vectors in V such that any n of them are linearly Independent. Let L be a linear 
functional on V and let L(v i )=a_^ for i=l,2,..,m. Then the hyperplanes H^HCv^.a^) 
are in general position with respect to (L) . 

Proof: Since L(v.) = a. , L belongs to H. for i=l,2,..,m. By lemma 1, dim(E({L}))=n. 
For i=l,2,..,m > by (v.,a.) we denote the vector in k whose projection on the first 
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a components is given by the vector v^ and the (n+l)-th component is a^. Any of the 

n vectors ( v ^> a ^) f° r i"l>2,..,m are linearly independent because the same property 

is true for their projections v ^' s by assumption. To prove that the hyperpland 

are in general position we need to show that intersection of any n of them is {L} . 
n 

Let S = /") H . Without loss of generality it is enough to show that S = {L} . 
i=l 1 

By lemma 2, S is a linear variety. L belongs to S because L belongs to every hyper- 
plane for i=l,2,..,m. The vectors (y ± > a i ) belong to E(S) for i=l,2,..,n. Since 
the vectors are linearly independent it follows that din(E(S))=n. Then by lemma 1, 
dim (S) = 0 and so S = {L} since L belongs to S. 

LEMMA 7: Let v^=(l .b^.b^ , . . . ,b^ ^ ) be vectors belonging to k 11 for i=l , . . ,m where 

m >_ n and b^ ^ b^ for i 5 s j then any n of the m vectors v ^' s are linearly independent. 

Proof: Without loss of generality it is enough to show that v.'s for i=l,2,...,n are 

linearly independent. Let B be the n x n matrix such that its (i,j)-th entry is b^ 

The matrix B is known as a Vandermonde matrix. It is a property of a Vendermonde 
3 

matrix that det(B) H if and only if b i + b f or i + j . Thus if b ± + b_j for i + j 
then det(B) 5 s 0 which implies that v ^' s are linearly independent for i=l,2,..,n. 

Definition: Given a linear functional f and an element a belonging to k define 
H(f ,a) = {v e V | f (V) = a} . 

LEMMA 8: H(f,a) is a hyperplane in V. 

Proof: This is a dual of lemma 5. 

The following lemma is the mathematical basis for the perfect security of the 
various linear threshold schemes . 

LEMMA 9: Let f be a linear functional on a vectorspace V. T is a linear subvariety 
of V such that T is not contained in H(f,a) for any a belonging to k. Then f uniformly 
projects T over k. 

Proof: Since T is not contained in any H(f ,a) , f projects T onto k. 

Let T » {V I v e T and f(v) = a}. Then T = v + W where v is a vector in T 
a 1 a a a 

which projects to a and W is subspace contained in the kernel of f and it does not 

depend on a. Thus cardinality of T a which is the same as the cardinality of W is 

independent of a i.e. f projects T unifromly over k. 
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3. DESCRIPTION OF LINEAR THRESHOLD SCHEMES 

In this section we briefly describe the threshold schemes due to Blakely, Bloom, 
Karnin-Greene-Hellman and Shamir. For more detailed descriptions of these schemes 
refer to [Blakely 79], [Shamir 79], [Bloom], [Karnin 83]. For uniformity of descrip- 
tions all the three schemes are set up to give n "shadows" and the threshold is t 
where n and t are integers such that n >_ t. 

Blakely's Threshold Scheme (affine version): 

Blakely's threshold scheme starts with a t dimensional affine space V. The key 
is concealed by specific coordinate of a point S of V. The n "shadows" are given by 
hyperplanes i=l,2,..,n, of V such that the and the specific coordinate plane 
passing through S are in general position with respect to S. 

Now given any t distant "shadows" H^, we can get the point S representing the 
key by intersecting the "shadows". However if only r "shadows", r < t, are known, 
then by intersecting the r hyperplanes corresponding to the "shadows" we get (t-r) 
dimensional linear variety strictly containing S. Thus S cannot be determined and 
no information about the key is revealed. 

Bloom's Threshold Scheme: 

Bloom's scheme starts with a t dimensional vector space V. The n vectors v for 
i=0,l.,,n, are chosen such that any t of them are linearly independent and consequently 
span the vector space C. A linear functional L on V is chosen such that L(Vg) repre- 
sents the key. The "shadows" S ± for i=l,2,..,n are defined to be S^Hv/) . Now, 
given any t the linear functional L is completely determined and the key can be com- 
puted using v . However if any r "shadows", r < t, are known then L is not completely 
determined and no information about the key is revealed. 

Shamir's Threshold Scheme: 

Shamir's scheme starts with a polynomial 

2 t-1 
f(x) = a^+a^x+a^ +• " +a t-l x * 

and nonzero distinct scalars for i=l,2,..n. The key S is represented by a^. The 
n "shadows" S^, for i=l,2,..n are defined as 

s i ■ f( V ■ 

Given any t distinct "shadows" f(x) can be determined by Lagrange interpolation formula 
and the key is obtained by evaluating f(x) at x=0. If only r "shadows", r < t, are 
known then f (x) cannot be determined and no information about the key is revealed. 

Karnin-Greene-Hellaan Threshold Scheme: 

The scheme starts with n+1 column vectors A ,A , . . ,A of size t such that any t 
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of them have full rank. U Is a row vector of size t. The key is given by U-Aq. 
The n shadows are given by U-A^ for i=l,2,..,n. If any t of the n shadows are known 
then 0 can be determined and the key is obtained by evaluating U'Aq. If less than 
t shadows are known then U is not determined and no information about the key is 
revealed . 

4. GENERALIZED LINEAR THRESHOLD SCHEME: 

A generalized t out of n threshold scheme is constructed as follows. Let V be 
a (d+t) dimensional vectorspace. The secret is a scalar a concealed by a d dimensional 
linear subvariety S. A linear functional f is used to reveal the secret from S i.e. 
f is chosen such that f(v) is equal to a for any v belonging to S. The linear variety 
S is kept secret but the linear functional f is made known to all the trustees invol- 
ved. 

The n shadows are given by n hyperplanes . The hyperplanes representing the 
shadows and the hyperplane H(f ,a) together are chosen to be in general position with 
respect to S. 

Given any t shadows, S is obtained by intersecting the corresponding hyperplanes. 
If less than ( < t) shadows are known the corresponding hyperplanes intersect in a 
linear subvariety S' containing S. Moreover S' is not contained in H(f,a) because 
the hyperplanes intersecting in S' and H(f ,a) are in general position by choice. In 
view of lemma 9 S' reveals no information about a. 

5. INTERRELATION OF LINEAR THRESHOLD SCHEMES: 

This section presents conversion algorithms proving that the t out of n threshold 
schemes of Blakely, Bloom and Karnin-Greene-Hellman are equivalent. The same notation 
that is used to describe the schemes is used again to describe the algorithms. 

Algorithm BLBM: 

The following algorithm converts a Blakely scheme to a Bloom scheme. 

1. Let e^,e^,..,e be the standard basis of V. 

Choose the linear functional L such that LCe^) is the i-th coordinate 
of S for 1 <_ i <_ t. 

2. If the k-th coordinate of S is the secret to be concealed then choose 

v_ to be e, . 
0 k 

3. Choose to be the vector representing the coefficients of for 
i=l,2, . . ,n. 

Algorithm BMKGH: 

The following algorithm converts a Bloom scheme to a Karnin-Greene-Hellman scheme. 
1. Let e 1> e 2 ,..,e be the standard basis of V. Set U = (Lfe^ ,L(e,j) , . . ,L(e t )) . 
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2. The (a+1) column vectors are chosen to be v ,v , . . ,v written as column vec- 

U 1 n 

tors. 
Algorithm KGHBL: 

The following algorithm converts a Karain-Greene-Hellnian scheme to a Blakely 
scheme. 

1. Choose S to be the point given by U. 

2. The hyperplanes H^,^,..,^ are chosen to be the hyperplanes 
whose coefficient vectors are given by V^^, . . .V^. 

Algorithm BMSH: 

This algorithm converts a Bloom's scheme to a Shamir's scheme. 

1. Define v Q - (1,0,.., 0) 

2. Define the vectors v^ for 1 <_ i <_ n as 
v i = (l,b j .,bj,..,bt- 1 ). 

Note that by lemma 7 any t of the v/s for i=0,2,..,n are linearly 
independent . 

3. Let a = (a^.a^.-.a^ ^) and define L as, 

L(v) = a-v for v belonging to v, where a-v is the dot product 
of a and v. 

Algorithm GSBL: 

This algorithm specializes a generalized linear scheme to a Blakely scheme. 

1. Choose d = 0. 

2. Choose the linear functional f to be a projection on one of the coordinate 
axis . 

In view of these algorithms the various threshold schemes are specializations 
of the Generalized linear threshold scheme and they subsume Shamir ' s scheme . 

6. HIERARCHICAL THRESHOLD SCHEME: 

In many applications there is a hierarchy among the trustees to whom the shadows 
are distributed for safeguarding the secret, and there is a need to create shadows of 
different potency. For example in a company where there are two levels of guards like 
senior and junior executives, it may be required that the threshold to obtain the 
secret be strictly smaller for senior executives compared to the threshold required 
of junior executives. In defense applications, this requirement may be even more 
crucial when there are different levels of commands and it is required that the lower 
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the level of co mm a n d Che higher the number of officers required to reveal the secret. 
These applications require a threshold scheme which provides shadows at different levels 
and the threshold is dependent on the level, such a scheme will be called a hierarchi- 
cal threshold scheme. 

An obvious solution to obtain a hierarchical threshold scheme seems to be to adopt 
an ordinary threshold scheme to the purpose by providing multiple shadows as shadows 
at higher levels. However this approach has drawbacks such as even though less shadows 
are required to reveal the secret the computation required in the process is not re- 
duced, the shadows at different levels have to be physically different and interpreted 
differently, and a full range of threshold values is not available. A natural solution 
to these problems is offered by a generalized linear scheme. 

A hierarchical threshold scheme is obtained from generalized linear threshold 
scheme as follows. The basic idea is to use linear varieties of different dimensions 
to conceal the secrets, at different levels. 

Assume that V is a t dimensional vector space and f is a linear functional which 
is used to reveal the secret concealed by a linear subvariety S . The variety S is 
such that function f has a unique value, on S. There are several choices for S and 
the maximum dimension for S is (t-1). The threshold is the difference between t and 
the dimension of S. Choose a sequence S^, 0 <_ 1 <^ t-1, of linear subvarieties such 
that dimCS^ = i and fCS^) is a single value giving the secret. The shadows at level 
i are generated with respect to as described in the construction of generalized 
linear threshold scheme. The threshold at level i is then t-i. Thus we get a hier- 
archical scheme providing t different levels of shadows. At level i, t-i linear equa- 
tions have to be solved to obtain the secret, thus the computation to reveal the secret 
is proportional to the threshold. 

7 . CONCLUSIONS 

This paper shows that various linear threshold schemes are closely related and 
they are all founded on the same principles. A generalized linear threshold scheme 
nicely crystalizes the basic principles of linear threshold schemes. The generalized 
threshold scheme has the flexibility which allows a chain of linear varieties to be 
used to conceal a secret. This property provides a hierarchical threshold scheme. 
The linear threshold schemes have fallen back on Shamir's method for a concrete im- 
plementation - however the same method cannot be used to implement a generalized 
threshold scheme as a hierarchical scheme. At this time we do not know of any effi- 
cient implementation of a hierarchical threshold scheme and the problem needs to be 
investigated further. 

There are other possible generalizations of linear threshold schemes. The linear 
functional used to reveal the secret may be replaced by a fractional linear trans- 
formation (this is the case with Blakeley's projective threshold scheme) also the 
shadows may be chosen to be lower dimensional linear varieties instead of linear 
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hyperplanes. It is not clear that these generalizations would give any better thres- 
hold schemes. 
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SECURITY OF RAMP SCHEMES 



G. R. Blakley and Catherine Meadows 
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College Station, Texas 77843-3368 

1. OVERVIEW. 

A k out of n p/s/r process [AS81] is a very efficient way to 
convey information (k words suffice to reclaim k words). But it 
provides virtually no cryptographic security for the information it 
deals with. 

A k out of n threshold scheme [DE81, p. 179-187] is very 
inefficient as a conveyor of information (k words are necessary to 
reclaim 1 word). But the linear threshold schemes provide Shannon 
perfect security [BL81a] up to threshold k. Examples of linear 
threshold schemes are Blakley projective [BL79] , Blakley affine 
[BL73], Shamir [SH79] , Bloom [BLSlb] , McEliece/Sarwate [MC81] , some 
versions of Asmuth/Bloom [AS83] and some versions of Karnin/Greene/ 
Hellman [KE83] . In addition to the linear threshold schemes there are 
the threshold schemes due to Davida/DeMillo/Lipton [DA80] , some 
Asmuth/Bloom schemes, and some Karnin/Green/Hellman schemes. 

For many practical purposes, Shannon perfect security is too much 
security if it is bought with k-fold (or more) bandwidth expansion. A 
magazine wanting to use a 4 out of 6 threshold scheme to store a 
mailing list occupying 12 rolls of magnetic tape might balk at the 
need to write, store and manipulate 72 rolls of mag tape to gain 
Shannon perfect security against opponents whose cryptanalytic 
expertise is unimpressive. But it might be willing to write, store 
and handle 24 rolls to get a specified — more modest — level of 
security, the reasoning being much the same as what leads people to 
put locks on glass doors. You balance level of security against the 
amenities which less security provides, in an environment in which the 
opponents are viewed as troublesome but not too threatening. 
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We will follow a suggestion of Bloom's [BL81b] and explore the 
properties of various versions of what we will call a "k out of n 
to yield d ramp scheme" (or, more briefly, a (d,k,n) ramp scheme). 
Figures 1.1, 1.2 and 1.3 will make clear why we chose the ramp 
terminology for the generalization of the notion of threshold scheme. 

One of the most important types of ramp scheme, the linear ramp 
scheme does the following. It takes d pieces of input information 
(i.e. members of a finite field F). From these d inputs (and using 
k - d other predetermined types of inputs, perhaps some of them 
random) it produces n outputs in such a fashion that the d inputs 
can easily be reconstructed from any k outputs. But there is a 
predetermined level of uncertainty (perhaps the level is zero, and 
there is an absolute upper bound dependent on j) regarding the 
inputs if only j outputs are known — given that j < k. It should 
be obvious from the description above that the assumption 

1 < d < k < n 

is implicit in this definition. 

The magazine mentioned above could use a (3,4,6) ramp scheme to 
turn its 12 input rolls of mag tape into 6 boxes (each containing four 
output rolls). This ramp scheme would have the property that it is 
easy to get the contents of all 12 input rolls back from any 4 boxes 
of four output rolls. A competitor of the magazine who gained access 
to only 3 of these boxes of four tapes each would have some knowledge 
of the contents of the 12 original mag tape rolls, but likely not 
enough to be useful. 

The basic security consideration in a linear k out of n 
threshold scheme is all-or-none, i.e. Shannon perfect security [BL81b; 
SH79]. For every word w belonging to the field F we have 

Probability (w is the word conveyed by the scheme | given 

that k-1 (or fewer) shadows are known) 

= Probability (w is the word conveyed by the scheme) 

In other words, no amount of knowledge of shadows [BL79] (coded words) 
below the threshold level k enables a Bayesian opponent [K081, 
p. 31] to modify an a priori guess regarding what information the 
scheme conveys. 

A k out of n threshold scheme is the extreme (l,k,n) case 
of the notion of ramp scheme. See Figure 1.2 below for a description 
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of a linear (l,k,n) ramp scheme. A k out of n p/s/r process is 
the opposite extreme, the (k,k,n) case of the notion of ramp 
scheme. See Figure 1.3 below for a description of a linear (k,k,n) 
ramp scheme). Here there is a small measure of security. If you 
intercept only k-1 shadows you can know at most (k-l)/100k per 
cent of the k pieces of information that were to be conveyed. And 
you may know less than that, depending on circumstances. We will 
address this point more fully below. 

The basic security consideration in a (d,k,n) ramp scheme is 
Shannon relative security . This generalization of the notion of 
Shannon perfect security goes as follows. Consider the d 
dimensional vector space T consisting of all lists 

(f(l), f(2), f(d)) 

of d words (i.e. members of the finite field F in question). 
Somebody who knows how the linear ramp scheme in question has been 
designed and implemented can do no better than the following. Given 
knowledge of z shadows of the information there is an affine 
subspace U of T. The dimensionality dim (U) of this affine 
subspace U is 

dim(U) = min{d, tnax{0, k-z}} 
(see Figure 1). The subspace U has the property that for every list 

5 = U(l), 5(2), 1(d)) 

of elements of the field F in question we have 

Probability (the list 5 to be conveyed does not belong to U) = 0, 

Probability (the list 5 to be conveyed is equal to w e U | given 
the knowledge of z intercepted shadows) 

Probability (the list £ to be conveyed is equal to w e U) 
Probability (the list I belongs to 0) 

In brief, a Bayesian opponent in possession of z shadows from a 
(d,k,n) linear ramp scheme now knows that the desired list £ belongs 
to U. This is a considerable increase over the amount of information 
he had at the outset, before he knew any shadows. But, as to where it 
is within U, he knows no more than he did before he had acquired any 
shadows. Thus suppose that 1 £ d <_ k _< n. With z shadows 
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available, an opponent knows of a subspace U whose dimension is 
given in the Figure 1.1 below. 

The concept of linear ramp scheme can also be extended to more 
general (nonlinear) ramp schemes (such as some versions of the 
Asmuth/Bloom ramp scheme) by associating a subset U of T to each 
set of z shadows, where T is merely a set of lists of d words 
instead of a vector space. Of course in this case we cannot put 
dimensionality requirements on U, since U will in general not be a 
linear space. We can, however put degree-of-f reedom requirements on 
U, namely, that if U the subset of T corresponding to k-d+s 
shadows then knowledge of U leaves us with exactly d-s degrees of 
freedom. In other words, knowledge of U should not give us any 
information about any d-s member sublist of 5 = (£ ( 1 ) ,5 ( 2 ) , . . . ,£ (d) ) 
but knowledge of U and any d-member sublist should give us knowledge 
of the whole list. 

We will follow, to some extent, a recent view of threshold 
schemes due to S. Kothari [K085] . In addition to its unifying 
properties, his formulation neatly uncouples the probabilistic 
considerations from the algebra. This makes it possible for him to 
give simple elegant proofs of Shannon perfect security for many 
heretofore seemingly different threshold schemes. Also, he makes 
explicit the notion that Shamir's [SH79] threshold scheme is a special 
case of Bloom's [BL81b] . We wish to point out that the converse 
statement also holds, in a sense. The first mention of this converse 
to Kothari' s observation can be found in [KA83] . Thus it might be 
more appropriate to speak of a Shamir/Bloom scheme — or of the Bloom 
approach to a Shamir threshold scheme — henceforward, rather than of 
separate threshold schemes. Kothari also shows that the Bloom 
threshold scheme [K085] is dual to the Blakley affine [BL83] geometric 
threshold scheme. So all the known Shannon perfectly secure threshold 
schemes are linear algebraic, and are to all mathematical intents and 
purposes identical. A corollary of this is that there are rigid 
[BL83] Blakley schemes and nonrigid versions of the other schemes. 

Since the theory of threshold schemes and ramp schemes seems to 
be maturing, we have collected all the papers touching it known to us 
in the references at the end of this paper. It is worth noting that 
Chaum also enunciated ideas [CH79; CH82] along the lines of threshold 
schemes and suggested implementations making use of cryptosystems . 
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2. GENERALIZED RAMP SCHEMES 



In this section we develop a general definition of ramp scheme. 
This definition is actually more general than needed for the examples 
in this paper, but we state it in as much generality as possible in 
order that it can be made to fit any future examples of ramp schemes. 

(2.1) Definition. A (d,k,n) ramp scheme is defined as follows. We 
start with a concealing set V and a key set W such that 



log jv| 



k 



log W d 

where J j denotes cardinality. Let % be a surjective map from V 
to W, that is let n be a map such that for every w e W, there is 
at least one v e V such that ic(V) = w. We will call it the 
revealing map . Given a key element w in W we choose point y in 
it _l (w) called the concealing point . To this point y we associate a 
set of n shadows 

{H( 1 ) , H(2) , . . . , H(n)} 
where each shadow H(i) is a subset of V such that 

a) The intersection of any k shadows is {y}. 

b) There exists an integer I dependent upon d and k such that 

i) 1 U <k 

ii) The restriction of n to the intersection of any I shadows 
is surjective. 

iii) Knowledge about w = n(y) increases in some regular way with 
knowledge of each shadow after I shadows. 



As an example of what we mean by the last part of this 
definition, suppose that W is a vector space of dimension s over a 
finite field. We could require that, if H is the intersection of 
i+i < k shadows, then n(H) is a vector space of dimension s-i. 

In the threshold scheme case (l,k,n) we can require a scheme to 
be Shannon perfectly secure . We define a threshold scheme to be 
Shannon perfectly secure if it satisfies the following criterion. 
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Whenever the intersection H of less than k shadows is known, then 
the probability that the image of x under it is w is equal to the 
a priori probability of w ( in other words, p(n _1 (w)|H) = p(w)). 
Since some probabilities go to zero in the general ramp scheme case, 
and the remaining ones usually increase, Shannon perfect security is 
of course impossible. However, we can still require that no 
probability which remains positive increases any faster than any other 
which remains positive, i.e. that the ratios of the remaining positive 
probabilities remain the same. If this is not possible we can at 
least require that the ratios do not vary too much from the original. 
The following definition makes these ideas precise. 

(2.2) Definition. A (d,k,n) ramp scheme R is Shannon relatively 
secure if, whenever the intersection H of less than k shadows is 
known, then 

p(it _1 (w)|H) p(w) 

(2.3) ' = 

pU-^w^lH) e (w *> 

for every pair of elements w and w* in x(H). A (d,k,n) ramp 
scheme R is Shannon t-relatively secure if, whenever the 
intersection H of less than k shadows is known, then 

p(q) p(u _1 (w) lH) (1+t) p(w) 

(2.4) < < 

(1+t) p(w*) p(n _1 (w*) |H) p(w*) 

We say that a ramp scheme is t-relatively secure with knowledge of r 
shadows if the above inequality holds whenever H is the intersection 
of r shadows. 

In the following lemma we show that the definition of Shannon 
relative security arises naturally from Shannon perfect security. 

(2.5) Lemma. Let R be a (d,k,n) ramp scheme. Then R is Shannon 
relatively secure if and only if whenever the intersection H of less 
than k shadows is known, then 

p(n _1 (w) |H) = p(w|it(H)). 

In particular, a threshold scheme is Shannon relatively secure if and 
only if it is Shannon perfectly secure, and a Shannon relatively 
secure ramp scheme is Shannon perfectly secure up to and including 
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knowledge of k - d shadows. 

Proof: Let H be the intersection of no more than k shadows. If 

pCit-^w) |h) = p(w|n(H)) 



then for all w e. n(H) 



p(n _1 (w) |h) = p(w)/w(H) 



= p({w} fl x(H))/p(*<H)) 
= p(w)/p(Tt(H) ) . 

Thus, for all w and w* in n(H) we have 

1 t(7t _1 (w) |H) p(w)/pU(H) ) p(w) 



p(7t 1 (w*)|H) p(w*)/p(x(H>) p(w*) 

and so R is Shannon relatively secure. 

Conversely, suppose that R is Shannon relatively secure. 
If w e it(H) then both p(it -1 (w)|H) and p(w|*(H)) are zero. Now let 
n(H) = {w(0),w(l),...,w(m)}. Then 

p(n _1 (w(0)) jH)/p(Tt _1 (w(i) ) |h) = p(w(0))/p(w(i)) 

for 1 _< i _< m. Moreover 

pU -1 (w(0) ) |H) + ... + pU _1 (w(m) ) (H) = 1. 

This gives us a nondegenerate system of m +■ 1 linear equations in 
m + 1 unknowns p (it -1 (w( 0 ) ) | H ) through p(it _1 (w(m) ) |h) for which 

p( lt ~ 1 (w(0) |h) = p(w(0) |«H) , 

p(7i _1 (w(m) jH) = p(w(m) |ji(H)) 

is the unique solution. 

The last statement of the lemma follows from the fact that 
it(H) = W when no more than k - d shadows are known. 

The major advantage of the above definition of ramp schemes is 
that, as in the case of Kothari's [K085] definition of linear 
threshold scheme, it allows us to characterize Shannon relative 
security solely in terms of the cardinalities of n -1 (w) and 
ix _1 (w) n H. 
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(2.6) Lemma. Let R be a (d,k,n) ramp scheme. Then R is Shannon 
relatively secure if and only if, whenever the intersection H of 
fewer than k shadows is known, the equality 



U _1 (w) n Hi U _1 (w) 



(2.7) 



|ic -1 (w*) 0 H| |n _1 (w*) | 



holds for all w, w* in n(H). R is Shannon t-relatively secure if 
and only if, whenever the intersection H of fewer than k shadows 
is known, the inequalities 



(2.8) 



* 1 (w) | |„ l(w) n H| (1 + t) |n X (w) 



(1 + t) | Tl" 1 (W* ) | |lt _1 (w*) n h| |n _1 (w*)| 

hold for all w, w* in it(H). 

Proof . R is Shannon relatively secure if and only if 

p(w|H)/p(w*|H) = p(w)/p(w*). 

But 

p(w|H) = p(it -1 (w) n H)/p(H). 

Since the point y in n~^(w) is chosen at random the distribution on 
it -1 (w) is uniform and so 



p(ic -1 (w) n H) 



p(w) ju X (w) n h| 
|ic -1 (w) | 



Thus equation (2.3) in the definition of Shannon relative security 
becomes 

p(w) |* -1 (w) fl H| ju -1 (w*)| p(w) 



p(w*) U -"-(w*) n h| |t~ 1 (w)| p(w*) 



which reduces to equation (2.7). Similarly, inequality (2.4) in the 
definition of Shannon t-relative security becomes 
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P (w) n h| |«' 1 (w*)| p(w) (1+t) p(w) 
< < 

(1+t) p(w*) |7t~ 1 (w*) n H| |« -1 (w)| p(w*) p(w*) 

which reduces to inequality (2.8). D 

In the remaining sections of this paper we examine several 
examples of (d,k,n) ramp schemes, along with their security proofs. 

3. RIGID LINEAR SCHEMES 

In this section we develop a general linear ramp scheme within 
the general framework set forth by Kothari in tK085] . Namely, let V 
be a vector space of dimension k over a finite field F, let y be 
a point of V hiding the key vector in some way, and let the H(i)s be 
hyperplanes in general position with respect to y. (This is actually 
less general then Kothari' s scheme, which also includes projective and 
affine spaces.) We let W be F d and we let the map it: V ■* W be a 
linear transformation. It turns out that if the H(i)s are oriented 
so that the intersection of any A of them with a certain translation 
of the kernel of i is a linear variety of dimension min( k-A-d, 0 ) then 
any such scheme is Shannon relatively secure. We make this 
requirement precise below. 

(3.1) Definition. We define a (d,k,n) linear ramp scheme in the 

k 

following way. Let F be a finite field, let V = F and let 

W = F d . Let it : F k •* F d be a linear transformation. Choose 
hyperplanes T(l), T(2), Kd) through the origin such that 

T(l) ... T(d) is the kernel o'f w. For 1 < i < d, let t(i) be 
the vector such that 

T( i) = {x e F k | t(i) • x = 0} . 

Next choose hyperplanes through the origin S(l), S(n) such that 

the set 

{T(l), T(d), S(l), S(n)} 

is in general position, with respect to the origin, that is, such that 
the intersection of any k members of the set is the origin. For 
1 < i < n let s(i) be the vector such that 
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S{ i) = {x £ F k | s( i) -x = 0} . 

(Thus the set of vectors {t(l), t(d), s(l), s(n)} is in 

general position.) For a given w in we choose shadows by 

picking a point y at random in n~'''(w) and then picking field 
elements c(l) through c(n) such that the intersection of any k 
of the hyperplanes 

H( i) = {x e F k | x-s( i) = c( i)} 

is {y>. Since the hyperplanes S(i) are in general position, this 
can be done by choosing c(i) such that y is an element f each 
H(i). Since y is also an element of each T(i), the set 

{T( 1 ) , T{d), H(l), H(n)} 

is also in general position with respect to y. 

(3.2) Proposition. The linear scheme is a (d,k,n) ramp scheme with 
X = k-d. Moreover, if k-d+s shadows are known, then all that is 
known about the key element w is that it lies in a vector subspace 
of W of dimension d-i. 

Proof: That linear schemes satisfy condition (a) of Definition (2.1) 
is clear from their definition. 

In order to prove the rest of the proposition, let H be the 
intersection of r shadows, where 1 < r £ r. Thus 

H = H(i 1 ) n... n h( i r ) . 

Let 

s = s( ij ) n . . . n s( i r ) . 

Then H = S+a, where a e F k . It follows that dim(n(H)) = dim(it(S)), 
and so it remains to show that it(S) = F d when r _< d-k and 
dim(ic(S)) = d-s when r = d-k+s. 

Since the S(i)s and the T(i)s are in general position, we 

have 
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dim(S n T) = min(0, dim(S) + dim(T) - k) 
= min(0, k-r+k-d-k) 
= min(0, k-(d+r) ) . 

It follows that, if r = k-d-s where 0 £ s < k-d, then 

dim(7t(S)) = dim(S) - dira(S n T) 
= k-r-(k-(d+r) ) 
= d 

Thus it(S)), and hence n(H), is all of F d . If r = k-d+s, where 
I < s < A, then 

dim(it(S)) = dim(S) - dim(S n T) 
= k-r-0 
= k-( k-d+s) 
= d-s. 

Hence dim(u(H)) = d-s. □ 

(3.3) Remark. We note that if the subspaces S(i)/ S(n) are 
fixed beforehand and made known to the general public, no information 
about the key element w is given away. Moreover, we are saved the 
trouble of calculating the orientations of the H(i)s anew each time, 
and economy is gained since each shadow holder only has to guard a 
single field element instead of the equation of a hyperplane. It 
follows that any efficient ramp scheme will have this property. 
However, as we see, this property can be built into any linear ramp 
scheme . 

Schemes in which the S(i)s are fixed beforehand are known as 
rigid schemes since the choice of the shadows H(i) is fixed by the 

choice of the point y e it - ^(w). 

(3.4) Remark: It we think of the key element w as a single random 
key, then the above construction of rigid linear ramp scheme 
suffices. However, if we think of w as a vector of d keys, or as 
a word that could possibly be deduced if we knew a small part of it, 
we need to put further conditions on the scheme. For example, we want 
to avoid such instances as 
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n(H(i 1 ) fl ... n #(H.(i k _ d+g ) ) = {v^} x ... x {wj x F d_S 
since this would give away s of the keys. In other words, if 

is the projection defined by p ( ( f ^ , . . . , f d ) ) = f^ we never want 
Pj (n(H)) to be a single point of H if H is the intersection of 
less than k shadows. But since ir(H) is a translation of n(S), 
where S is the intersection of the S(i)s corresponding to the 
H(i)s whose intersection is H, it is enough to require that 
Pj(«(S)) * {0}. This can be done easily by first setting the 
subspaces T(j) equal to ker(p^ o %) . Now suppose in such a case 
that Pj(n(S)) = {0}. Then S Ker(p^ o n ) = T(j). But this 
contradicts the fact that the S{i)s will have been chosen such that 
the S(i)s and the T(j)s are in general position. 

(3.5) Theorem. The (d,k,n) linear ramp scheme is Shannon 
relatively secure. 

Proof: By Lemma (2.6) it is enough to show that given H the 
intersection of X shadows, then 

|u -1 (w) n h) |it _1 (w) I 
|it -1 (w*) n H| |it _1 (w*) J 
in it(H). Since it is a linear transformation, 

[n _1 (w) j = |it -1 {w*)j 
so it is enough to show that 

|it _1 (w) n H j = |n -1 (w*) n h| 

for all w and w* in n(H). 

Since it ^(w) is a translation of the kernel of it, it ^"(w) and 
H are translations of two vector subspaces in general position. 
Thus, if the sum of their dimensions is less than k (that is, if H 
is the intersection of more than k-d shadows) their intersection is 
either empty or a single point, and |n~ 1 (w) n h| = 1 whenever 



for all w and w* 
we know that 



for all w in F , 
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w e 11(H). If the sum of the dimensions of * (w) and H is greater 
than k, then 

dim(* _1 (w) fl H) = dimi-x' 1 (v)) + dim(H) - k 

for all w, so |it~*(w) n h| is the same for all w. 
Next we look at some examples of ramp schemes. 

A. Blakley Scheme 

The Blakley scheme is the scheme of Definition (3.1) with it 

v 

taken to be a projection to a d-dimensional subspace of F such that 
kernel of it satisfies the conditions of Definition (3.1). This is 
essentially a rigid version of the Blakley scheme described in [BL79] . 

B. Bloom Scheme 

v * 

In this scheme [BL81b] we let V be (F ) , the space of linear 

functionals [H071, p. 97] from F k to F. (Of course (F k ) is 
v 

isomorphic to F .) Let t^, t^ be linearly independent 

k k * d 

vectors in F . The map *: (F ) + F is given by 

it(L) = (Lltj) , . . . , L(t d ) ) . 

r k 

Choose vectors {s, , s } in F such that the set 

1 1 n 

{t^r ...f t^ / ^2' * * * ' 

is in general position. let 

S(i) = {L e (F k )*j L(s i ) = 0} 

and let 

T( i) = {L e (F k )*| L(tj_) = 0} . 

Then if we let T = T(l) n ... CI T(d), we have T = ker(it). Let w 
be a point in F . Pick a linear functional G at random in 
it -1 (w). The shadows H(i) associated to w are 



H( i) = {L e (F k )*| L(s i ) = G( Si ))} . 
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Clearly H(i) is a translation of S(i), and so the Bloom scheme 
satisfies all the criteria for a linear ramp scheme. Moreover, it 
follows from the way we have defined the T(i)s that the Bloom scheme 
clearly satisfies the criteria of Remark (3.3). 

C. Shamir Scheme 

The Shamir threshold scheme [SH79] is defined as follows. Let 
f(x) be a polynomial of degree k-1 in F[x], where F is a finite 
field. Choose elements c^, b^, b n - Let f(c^) be the key and 

let f(b 1 ) through ffb^). If we know k shadows then we can use 
Lagrange interpolation to find f(x) and hence the key ftc^). In 
[K084] Kothari points out that the Shamir scheme is a special case of 
Bloom's scheme. Suppose that 

f(x) = a„ +■ a, x +■ ... + a x k_1 . 
u 1 n 

We let the linear functional L we are hiding be defined by 

L(v) = (a Q ,a lf . . . , a R ) • V, 

we let the n vectors s^ in general position be 

s. = (1, b., (b^ 2 , (b^* -1 ) 

and let t 1 be (1, b Q , (b Q ) 2 , (b 0 ) k_1 ). The key is L-v^ This 

This is clearly equivalent to Shamir's scheme. Moreover, since these 
vectors (which make up the Vandermonde matrix) are usually the ones 
chosen for the Bloom scheme anyway this means that Bloom's and 
Shamir's schemes are essentially equivalent. We point out that we can 
make Shamir's scheme into a ramp scheme by letting the key element be 
the vector (f(c^), f(c^)) where c^ , c d are elements 

of F. 

D. Karnin/Greene/Hellman Scheme. 

In this scheme [KA83] the vector space F^ is replaced by (F e )"^ 
k e k 

and F by (F ) , where e is a positive integer. Let Ad) 
through A(d) be k«e by e matrices such that the k-e by d-e 
matrix formed by A( 1 ) through A(d) is of maximal rank. Next choose 
matrices B(l) through B(n) such that any k member subset of 
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{(Atl), A(d), B(l), ...,B(n)} 

gives a k-e by k-e matrix of full rank. The map 

w: (F e ) k ■+ (F e ) d 

is given by 

it(x) = (A(l)-x, A(d)-x). 

Let 

T(i) = {u e (F e ) k | A(i)-u = 0}. 

Let 

S(j) = {x e (F e ) k | B(j)«x =0}. 

Clearly the S(j)s and the T(j)s are in general position and the 

intersection of the T(i)s is the kernel of it. If w is a vector 

e d —1 
in (F ) choose a random member u of n (w) . We let the ith 

shadow associated with w be 

H(i) = {x e (F e ) k | B(i)«x = B(i)«u}. 

The conditions of the Karnin/Greene/Hellman scheme are similar to 
those of Definition (3.1) and similar security proofs may be 
obtained. In particular, the Karnin/Greene/Hellman scheme reduces to 
Bloom's scheme if e = 1. Simply replace F k by (F k ) and the 

— 1 k * 

random vector u in it (w) by u* e ( F ) , where u*(x) = u • x 
for every x e F k . Then n: F k ■* F d becomes 

ti(u*) = (u*(A(l), .., u*(A(d)), 

S(i) becomes {u* | u*(A(i)) = 0} and so forth. 

4. FIELD SIZES 

We have paid little attention to the field F underlying the 
vector spaces above. But with general (d,k,n) ramp scheme, as with 
its special case the k out of n threshold scheme and the k out 
of n p/s/r process it is necessary that the underlying field contain 
at least n members. The reason for this is that otherwise it is not 
possible to find the necessary hyperplanes (or points, as the case may 
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be) in general position as required by the formulation given in 
Section 3. 

Actually the cardinality of the field can drop as low as n-2 in 
some rather exceptional cases. There is, for example a Bloom 3 out of 
6 p/s/r process (i.e. a Bloom (3,3,6) ramp scheme) whose underlying 
field is GF(4). The reason for this is that the six vectors 

[1,0,0] 
[0,1,0] 
[0,0,1] 
[1,1,1] 
[l,a,b] 
[l,b,a] 

are in general position in GF(4) 3 , where the members of GF(4) are 
2 

0,1, a and b = a . 

But the n-2 bound is seldom attained, and it is an open 
question [MA67] to characterize all the cases in which this happens. 

For many purposes there is no advantage to be gained by using 
large field in building a threshold scheme (i.e. a (l,k,n) ramp 
scheme) if a smaller field would suffice. The latter, which could be 
implemented more cheaply and quickly, would provide as much 
security — Shannon perfect security — as the former. 

But, when it comes to more general ramp schemes, there are many 
occasions on which use of a large underlying field might be 
desirable. Only Shannon relative security (or even merely Shannon t 
t-relative security) is available to the user of a (d,k,n) ramp scheme 
when d ^ 2. So it might be desirable to have a large haystack of 
shadows in which to hide the message needle. Somebody who used 

3 2 

GF(2 ) as the underlying field for let us say, a (2,5,9) ramp scheme 
would have the consolation of knowing that an opponent who had 
obtained four shadows corresponding to a single test of two 32-bit 
words would still have nothing other than his a priori guess as to 
which of 4 billion possibilities was the correct value of the 64 bit 
string in question. The opponent would, of course, be better off for 
knowing the four shadows, having thereby eliminated more than 18 
billion billion possibilities. 

Contrast this state of affairs with 8 successive applications of 
a (2,5,9) ramp scheme over GF(16) to the same 64 bits of 
information. Each successive 8-bit substring would be narrowed down 
to one of 16 possibilities. The total possible number of values of 
the 64 bit string would again be some what over 4 billion to an 
opponent who had intercepted four shadows of everything. But, though 
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the opponents recovery problems in the two cases at hand thus look 
mathematically equivalent, they are not cryptographically equivalent. 
Suppose for example, that the original 64 bit string were eight latin 
letters ASCII coded, and each of the successive two-halbyte lists were 
the ASCII code for a single letter. The 16 possibilities for each 
symbol would be narrowed down to 1 or 2 by the requirement that it be 
one of only 26 bytes among all 256 possible bytes. The opponent would 
thus recover the message without machine assistance if the underlying 
field were GF(16). No such cheap approach is available when GF(2 J ) 
is employed. 

The question of infinite fields is a different matter, as noted 
in [BL83] . However the duality relationship between Blakley schemes 
and Shamir/Bloom scemes enables us to give a satisfactory solution to 
some of the problems raised in [BL83] . We can now produce Shannon 
perfectly secure rigid Blakley projective geometric (d,k,n) ramp 
schemes which amount to natural, and very efficient, generalizations 
of infinite one-time pads [BL83] . This development will be described 
in full elsewhere. 



5. ASMUTH/BLOOM SCHEMES 

In this section we look at an example of a ramp scheme based on 
the Asmuth/Bloom threshold scheme [AS83] . 

Choose prime numbers p(l) through p(d) and integers m(l) 
through m(k+n) such that the following properties hold: 

(i) p(l) < p(2) < ... < p(d) < m(l) < ... < m(k+n) 

(ii) All of the numbers in (i) are pairwise relatively prime. 

k k— 1 

(iii) n m(i) > p(d) n m(k+n+l-i) 
i=l i=l 
k d k-d+1 

(iv) n m(i) < n p(j) n m(k+i) 
i=l j=l i=l 

Denote the product of the p(i)s by P and the product of the k 
smallest m(i)s by M. Let V be the collection of all integers y 
such that 0 £ y < M. Let W be Z/PZ. Let the revealing map k be 
the evaluation mod P. We choose the shadows in the following way. 
Let w be an element of Z/PZ. Choose a random number A such that 
0 < y = x+AP < M. The ith shadow H(i) is the set of all integers z 
between zero and M such that y = z mod m(i+i). The intersection of 
any r shadows H(i, ), H(i ) is, by the Chinese Remainder 



262 



Theorem, the set of all z between zero and M such that y = z 
modulo the product of mtk-t-i^ through m(k+i r ). 

(5.1) Proposition: The Asmuth-Bloom scheme is a (d,k,n) ramp scheme 
with I = d-k. Knowledge is gained in a regular way with knowledge of 
each shadow after d-k shadows in the sense that 

a) Knowledge of k-d shadows and knowledge of y modulo d-s+1 of 
the p(i)s gives us knowledge of w. 

b) Knowledge of k-d+s shadows does not give us knowledge of 
y modulo any d-s of the P(i)s. 

Proof: First we note that if the m(i)s are relatively close to the 
p(i)s (which is guaranteed by part (iii) of the definition) then 

|V| k 
log - — . 

hi d 

Now suppose we know k shadows, that is, suppose we know y 
modulo k of the m(k+i)s. Denote their product by B. By the 
Chinese Remainder Theorem, we know y mod B. Since B > H, there is 
only one number z such that 0 £ Z < M and y = Z mod B, namely y. 
Thus the intersection of k shadows is a single point in n -1 (w), and 
so the Asmuth-Bloom scheme satisfies part a) of Definition (2.1). 

Next suppose that we know no more than k-d shadows, that is, 
that we know y modulo no more than k-d of the m(k+i)s. Denote 
their product by B. By the Chinese Remainder Theorem, we know 
y modulo B. By (iii) and (i) M/B > P, and since P is relatively 
prime to all the m(i)s, this means that the set of all integers z 
z = y mod B and z < M covers all congruence classes modulo P. Thus 
the restriction of it to the intersection of no more than k-d 
shadows is surjective, and so the Asmuth-Bloom scheme satisfies part 
(b) of Definition (2.1). 

Next, suppose we know k-d+s shadows, where 1 < s < d. Let B 
denote the product of the corresponding m(k+i)s. Let C denote the 
product of any d-s of the p(i)s. By (i) and (iii) M/B > C. From 
this fact and the fact that C and B are relatively prime, we can 
conclude that the set of all integers z such that z = y mod B and 
z < M covers all congruence classes mod C. Thus, if we let p 
denote the projection from Z/PZ to Z/CZ , the restriction of p « * 
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to the intersection of the shadows is surjective, giving us part b) of 
the proposition. 

Finally, suppose that we know y modulo k-d-s of the primes and 
d-s+1 of the m(k+i)s. Denote the product of the primes by C and 
the product of the m(k+i)s by B. By (i) and (iv) M < BC. Thus 
knowledge of y modulo BC gives us y, giving us part a) of the 
proposition. 



We note that conditions (iii) and (iv) of the definition of the 
Asmuth/Bloom ramp scheme can be changed by requiring that 

k k-l+t 

n m(i) > p(d) • n m(k+n+l-i) 

i=l i=l 

and 

k d k-d+t 

n m(i) < n p(j) • n m(k+i) 

i=l j=l i=l 

for some positive integer t < d. This would lessen the amount of 
information gained with each shadow. Knowledge of k-d+s shadows and 
d-s+t of the p(i)s would be required for knowledge of w. Or we 
could leave part (iii) of the definition unchanged: this would have 
the advantage of allowing us more leeway in choosing the m(i)s, and 
would mean that knowledge of k-d+s shadows and d-s+t of the p(i)s 
would always give us knowledge of w, while knowledge of fewer of the 
p(i)s sometimes would and sometimes would not, depending on the 
shadows. However, in both cases efficiency would be lost. The change 
in part (iii) of the definition would require the ratio m(l)/p(d) to 
be larger, while the change in part (iv) would allow the ratio to be 
larger . 

(5.2) Theorem. Let R be a (d,k,n) Asmuth/Bloom ramp scheme. Let 
P denote the product of the p(i)s, let M denote the product of the 
k smallest m(i)s, and, for 1 £ r < d-k, let M f denote the product 
of the r largest m(i)s. If r < k-d then R is Shannon 
t-relatively secure with knowledge of r shadows if and only if 

( [M/M r P] - l/t)([M/P] - 1/t) > (l+t)/t 2 . 

If r > k-d then R is t-relatively secure if and only if 



[M/P] - 1/t > 0 
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Proof: By Lemma (2.6) it is enough to show that, if H is the 
intersection of r shadows, then 



(5.3) 



|* 1 (w)| |it _1 (w) n h| (1+t) |* _1 <w)| 



(1 + t) |it 1 (w*)| |n _1 (w*) fl H| |ti" 1 (w*) 



for all w and w* in *(H). Let H be the intersection of r 
shadows. Then H is the set of all z between zero and M such 
that z = y mod B, where B is the product of the r m(k+i)s 
corresponding to the 1 shadows. The cardinality of n~^(w) for a 
given w in Z/PZ is either [M/P] or [M/P] +1, and the 
cardinality of * -1 (w) H is either [M/BP] or [M/BP] + 1, where 
[ ] denotes the greatest integer function. We consider the two cases: 



A: r < k-d (in which case [M/BP] > 0), and 

B: r > k-d (in which case [M/BP] =0). 

Case A. Suppose that 1 <_ k-d. Then [M/BP] > 0. The worst possible 

case as far as the right half of inequality (5.3) is concerned is 



|ic -1 (w) 
|n _1 (w*) 

|it _1 (w) n h 

|n -1 (w*) 0 H 



= [M/P], 

= [M/P] + 1 

= [M/BP] + 1, and 

= [M/BP] . 



We are thus reduced to proving the inequality 



( [M/BP] + 1)/[M/BP] < (1 + t) [M/P] /[M/P] + 1. 



This is equivalent to 

([M/BP] - l/t)([M/P] - 1/t) > (l+t)/t 2 . 

Since B <^ N r and can be equal to N r it is thus necessary and 
sufficient to have 

( [M/N r P] - 1/t) ([M/P] - 1/t) > (l+t)/t 2 . 
The proof of the left-hand side of inequality (5.3) is similar. 
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Case B. Suppose that I > k-d. By conditions (i) and (iv) of the 
definition of the Asmuth/Bloom scheme we then have [M/BP] =0. Thus 
the cardinality of ti -1 (w) H is either 0 or 1. Since we are 
only interested in proving the inequality for w and w* in x(H) r 
the worst possible case as far as the right half of inequality (4.3) 
is 

|ic _1 (w)| = [M/P], 
|it _1 (w*) | = [M/P] + 1, 
|n -1 (w) n H j =1, 

and 

| [it -1 (w*) n h| = i. 

We thus have to prove the inequality 

1 (1-t) 
< 

[M/P] [M/P] + 1 

This is equivalent to [M/P] - 1/t > 0. 

There are two apparent contradictions here that need to be 
resolved. First we might ask the question: what if we choose t 
such that [M/P] - 1/t < 0? Then would it be possible that 

(4.4) ( [M/N r P - 1/t) {[M/P] - 1/t) < (l + t)/t 2 

thus giving Shannon t-relative security for small t but not possibly 
for larger t? The answer is no. For suppose that [M/P] - 1/t < 0 
and that equation (4.4) holds. Then we have 

( [M/N r P] - 1/t) ([M/P] - 1/t) = t 2 [M/N r P] [M/P] - t([M/N P] + [M/P] + 1 

> (t+l)/t 2 

Hence 

t 2 [M/N r P] [M/P] > t([M/N r P] + [M/P] + 1) 

and so 
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I 
t 



[M/N r P] [M/P] 



< 



[M/N r P] + [M/P] + 1 



But 



[M/N r P] [M/P] 



[M/N r P] 2 + [M/N r P] 



[M/N r P] - 



[M/N P] + [MP] + 1 



[M/N r P] + [MP] + 1 



> 0 



Thus [M/N P] - 1/t > 0, and so [M/P] 



1/t > 0. 



The other apparent contradiction is that the requirements for 
t-relative security after knowledge of k-d shadows is less stringent 
than the requirement before, making it seem that we lose information 
as we gain knowledge of the shadows. But this contradiction appears 
only if we forget the fact that after k-d shadows some 
probabilities, which are not figured in the computations of t-relative 
security, go to zero. Thus, in spite of appearances, we still have 
more information than before. 

Note that Shannon t-relative security and Condition (iii) of the 
definition of the Asmuth/Bloom scheme require that M be large in 
comparison to PN r » while Condition (iv) requires that M be 
relatively small. If d is large then Shannon t-relative security 
and Condition (iii) become relatively easy to obtain, while Condition 
(iv) becomes harder. The reverse is true if d is small. 

The difficulty seems to lie in the inequality in Condition 
(iii). If this inequality could be replaced by an equality, then it 
and the first two conditions would suffice to give us a ramp scheme. 
Condition (iv). This indeed can be done in certain cases of the 
generalized Asmuth/Bloom scheme, in which the integers are replaced by 
a Euclidean domain and the p(i)s and m(i)s can be replaced by 
relatively prime elements of the same degree. However, since the only 
known practical example of such a scheme is Shamir's scheme [SH79] , 
which was discussed in Section 3, we refrain from discussing 
generalized Asmuth-Bloorn schemes here. 

This work was supported in part by NSA Grant MDA-83-H-0002 . 
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1. Introduction 

Pseudo random sequences of integers are most commonly 

generated by linear congruence methods [5] or by linear 
shift registers [1] . These sequences can be used in cryp- 
tology if they are cryptographically secure [9] : 

A pseudo-random sequence is cryptographically secure if 
given any segment of the sequence, it is computation- 
ally infeasible to compute other segments of the 
sequence . 

It has been shown that sequences generated by linear 
congruence methods or by linear shift registers are not 
cryptographically secure [1,6,7]. By using one-way func- 
tions [2,3,9,10,11] or cryptographically strong encryption 
algorithms like the DES secure pseudo random number 

sequences can be constructed. 

In this paper we propose a new class of generators. 
Members of the new class compare favourably with existing 
cryptographically strong generators since 

- they are fast, even in software implementation, and 

they can quickly and easily be programmed in any com- 
puter language. 

This work was supported by the Natural Sciences and En- 
gineering Research Council of Canada under Strategic Grant 
G0381. 
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We first explain how the generators can be constructed 
in general. In sections 3 and 4 the generation of pseudo 
random permutations is described in detail. In section 5 it 
is shown how these permutations may be used in cryptology. 

2. General scheme 

Let S be a set with cardinality #S and let * and o be 

two binary operations on S. We construct a sequence {s 1 } = 

0 12 . . . 

s , s , s , . . . as follows: 

Step 0 : Let x° be an arbitrary element of S. 

Step 1 : x 1 = x 1 ^ * q, for i > 0 and some q S. 

e . ^„ - i ki ^ ki+1 „ ki+k-1, 
Step 2:s=x ox o ... o x 

for all i 2l 0 an & some positive integer k. [] 

The element q should be chosen such that the sequence 
{x 1 } has a large period. In the best case {x 1 } will have a 
period equal to #S, which implies that the period of the 
sequence {s 1 } is 

_#S 

gcd(k,#S) 

Obviously the set S, element q, integer k and operations * 
and o have to be chosen such that {s 1 } becomes cryptographi- 
cally secure. We will use the above algorithm to construct 

a sequence of pseudo-random permutations. Although we have 
not been able to prove our random permutation generator 
secure, we conjecture that the sequence is secure since in 
our generator 

i- q is chosen such that the period of {x 1 } is maximal 

ii- the operations o and * do not have the distributive 
property 

iii- the set S with operation o forms a group. 

Fact -i- ensures that the sequence does not cycle in practice 
if S is chosen such that #S > 2 200 , 
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say. Fact -ii- makes it hard to 

simplify and solve equations that express elements of the sequenc 
{s 1 } in terms of the unknown quantities {x 1 } and q. Finally fact 
-iii- implies that 
a = b o x 

has a solution x S for all a, b S. So if an element of the 
sequence {s 1 } is known, then little is known about the values of 

„kj kj+1 kj+k-1 

3. Random permutations 

Let P denote the set of all permutations of (0 1 2 ... 
n-1) . Various algorithms that map the set Z n , onto the set 
P exist [4,5]. In this paper we use the mapping given in 
[5] and we denote it by f. So 

f : Z . -> P 
n! 

is a bijection. We compute the pseudo random sequence of 
permutations {p 1 } by the following algorithm: 

Step 0: Let x° be an abitrary element of Z . and q Z . 

J n ! n i 

with gcd (n! ,q) = 1. 

Step 1: x 1 = (x 1-1 + q) mod n!, for i > 0. 

Step 2: p 1 = f(x ki ) o f(x ki+1 ) 0...0 f(x ki+k_1 ) for all k, 
i>_ 0 and some positive integer k, 
where o is composition of permutations. [] 

Notice that the sequence generated in step 1 is a special 

case of the linear congruential sequence 

i i-1 . , 

x = a x + q mod m 

with a=l and m=n!. By choosing q relatively prime to nl, we 

are guaranteed a sequence {x 1 } of maximum period n! [5] . 
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We will see in the next section how the above algorithm 
can be implemented efficiently. 

4. Implementation 

Elements in Z n , can be represented in a mixed-radix 

notation [5] as follows: if x Z , it can be written as 

n I 

(x Q * 1 x n-l } with 

x = sum from i=0 to n-1 x^ . i! 
and 0 <_ x^ £ i. 

Addition modulo n! of two elements of Z , , written in this 

n ! 

mixed-radix notation can be achieved with at most 2n addi- 
tions, n subtractions and n comparisons. 

If we denote a permutation p P by the sequence (p(0) 
p(l) ... p(n-l)) then the mapping f from Z n , to P can be 
defined by [5] : 

function f (x) : 

let p(i) = i, for i=0, n-1 

for i = n-1, n-2, 1, 0 do 

exchange (p(i), p(x i )) 

end for 
return p. [] 

Since composition of permutations of size n can be achieved 
with n exchanges, it is obvious that each element of the 
sequence {p 1 } can be computed in 0(kn) steps. 

5. Generating bits 

A pseudo random sequence of bits can be added bitwise 
modulo 2 to the bits of a message to construct a cryptogram. 
If the bit sequence is cryptographically secure, then so is 
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the resulting cryptogram. We show below how the random 
sequence of permutations can be used to produce a pseudo- 
random sequence of bits. 

Let b 1 be an arbitrary bit vector of length n and let 
[b 1 ] denote the bit vector that is the result of applying 
permutation p to vector b 1 . If {b 1 } is an arbitrary 
pseudo-random sequence of bit vectors then we conjecture 
that {p 1 lb 1 ]} is a cryptographically secure bit stream. 

In the algorithm below we use sequence {b 1 } defined by 

b° = (01010 . . . 0101) 

b 1 = p 1-1 ^ 1 " 1 ] , i > 0. 
We propose to use k=2 and n=64. So the period of {x 1 } and 
therefore of {p 1 [b 1 ] } is approximately 2^^. 

The algorithm applies the permutations p^ = f(x 2l )o 
f(x 2l+1 ) to the bit vectors b* without in fact computing p 1 
but rather by applying x^ 1 and x 2l+ ^ directly to b 1 . Imple 
mented in the programming language C and running on a VAX 
11/780, the algorithm generated more than 10 000 
bits/second . 

Algorithm to generate a bit stream: 

n <- 64 
k <- 2 

Xq, x^, . . . , x n _^ <-initial value 

q n , q^,..., q n-1 <-integer relatively prime to n! 

b Q , b lf ..., b n _ 1 <- 0,1,0,1,0,1, ... ,0,1 

repeat as many times as required 
do k times 

{compute x + q mod nl} 
carry <- 0 

for i = 1,2,..., n-1 do 

x . <- x . + q . + carry 
i l ^i 1 

if x. > i then x, <- x. - (i+1) 
i 11 

carry <- 1 
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else carry <- 0 

end for 

{apply x to b } 

for i = n-1, n-2,..., 1 do 

exchange (b^, b x ) 
end for 
end do 

output bg f b^,...,b n _^ 
end repeat. U 

Notice that the greatest common divisor of two numbers writ- 
ten in mixed radix-notation can easily be computed using the 
Euclidean algorithm. 

6. Conclusion 

We applied the statistical tests for randomness 
described in [1] to the bitstream generated by the algorithm 
described above. For these tests we chose n=64, k=2 and 
random values for q and we used an input bitstream of vec- 
tors {b 1 } given by 

b 1 = 111. . .1000. . .0 for i=0,l,2,... 

where the number of l's in each vector b 1 has a binomial 
distribution with parameters 64 and 1/2. The generated 
bitstreams did not exhibit any statistical weaknesses. 
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ABSTRACT 

Now that "random functions" can be efficiently constructed ([ GGM] ) , 
we discuss some of their possible applications to cryptography: 

1) Distributing unforgable ID numbers which can be locally verified 
by stations which contain only a small amount of storage. 

2) Dynamic Hashing: even if the adversary can change the key-distri- 
bution depending on the values the hashing function has assigned to 
the previous keys, still he can not force collisions. 

3) Constructing deterministic, memoryless authentication schemes 
which are provably secure against chosen message attack. 

4) Construction Identity Friend or Foe systems. 
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1. INTRODUCTION 

In our paper "How to Construct Random Functions" ( [GGM] ) , we have 

1) Introduced an algorithmic measure of the randomness of a function. 
(Loosely speaking, a function is random if any polynomial time 
algorithm, which asks for the values of the function at various 
points, cannot distinguish the case in which it receives the true 
values of the function, from the case in which it receives the out- 
come of independent coin flips.) 

2) Constructed functions that are easy to evaluate and, nevertheless, 
achieve maximum algorithmic randomness, under the assumption that 
there exist one-way permutations. 

In this paper, we describe in details 4 cryptographic applications 
of these "pseudo-random functions" :Storageless ID Number Distribution, 
Dynamic Hashing, Deterministic Private-key Signature Scheme and 
Identify Friend or Foe. Before describing these applications, let us 
recall some of the definitions which appeared in [GGM]. 
1.1 Poly-Random Collections 

Let 1^ denote the set of all k-bit strings. Consider the set, 
Hjt, of all functions from 1^ into Ijc- Note that the cardinality of 
Hk is 2k 2 ^. Thus to specify a function in H^ we would need k2^ bits: 
an impractical task even for a moderately large k. Even more, assume 
that one randomly selects subsets H^£H k of cardinality 2 k so that 
each function in Hj| has a unique k-bit index; then there is no poly- 
nomial time Turing Machine that, given k, the index of a function 
fcH£ and xe 1 ]^ will evaluate f(x)- 

Our goal is to make "random functions" accessible for applications. 
I.e. to construct functions that can be easily specified and evalu- 
ated and yet cannot be distinguished from functions chosen at random 
in Hj^. Thus we restrict ourselves to choose functions from a subset 
F k- H k where the collection F = {F k } has the following properties: 

1) Indexing: Each function in F k has a unique k-bit index associated 
with it. (Thus picking randomly a function feF^ is easy.) 

2) Poly-time Evaluation: There exists a polynomial time Turing 
machine that given an index of a function feFj, and an input x> com- 
putes f ( x ) . 

3) Pseudo-Randomness: No probabilistic algorithm that runs in time 
polynomial in k can distinguish the functions in F k from the functions 
in H k . 

More precisely: if the collection F passes all polynomial time 
statistical tests for functions, where the notions "statistical test 
for functions" and "passes a test" are hereby defined. 
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A polynomial time statistical test for function is a probabilistic 
polynomial time algorithm T that, given an input k and access to an 
oracle Of for a function f:I k -> I k , outputs either 0 or 1. Algorithm 
T can query the oracle Of only by writing on a special query-tape some 
yel^ and will read the oracle answer, f(y), on a separate answer-tape. 
As usual. Of prints its answer in one step. 

Let F={F k ) be a collection of functions. We say that F passes 
the test T if for any polynomial Q, for all sufficiently large k: 

[pF- p R|< i 

' k ^ ' Q(k) 

where p^. denotes the probability that T outputs 1 on input k and 

1^ 

access to an oracle for a function f randomly chosen in F^. pj. is the 
probability that T outputs 1 when given the input parameter k and 
access to an oracle for a function f randomly, picked in H^Ci.e. a 
random function) . 

Such a collection of functions F will be called a poly-random 
collection. Loosely speaking, despite the fact that the functions in 
F are easy to select and easy to evaluate, they will exhibit, to an 
examiner with polynomially bounded resources, all the properties of 
randomly selected functions . 

The above definition is highly constructive. In[GGM] it was 
shown how to transform any one-to-one one-way function to an algorithm 
Ap for a poly-random collection of functions F. The construction is 
in two steps: first, using Yao ' s construction (see Appendix A) to 
transform a one-to-one one-way function into a Cryptographically 
Strong Pseudo Random Bit generator (CSPRB-generator} ; next, using ANY 
CSPRB-generator to construct a poly-random collection (see Appendix 
B) . However, for practical purposes we will consider only poly-random 
collections whose underlying CSPRB generator is fast. 
Efficiency considerations 

In the recent years many CSPRB generators have been proposed 
( [BBS ] , [BM] , [GMT] , [Y] ) , based on various intractability assumptions 
and demonstrating various degrees of practicality. 

Using the new results of Chor and Goldreich [CG ] it is now possible 
to construct fast CSPRB generators which are "equivalent" to factor- 
ing: On input a k-bit long seed, these generators output log k bits at 
the price of one modular multiplication of two k-bit long integers. 
Factoring k-bit long integers is poly(k) reducable to distinguishing 
the sequence generated by these generators from truely random 
sequences . 

Let T denote the average time needed for generating one bit in the 
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underlying generator used in our construction of a poly-random col- 
lection. Then, evaluating a function chosen at random from can 
be done in time 0(k 2 T) . 

1.2 Comparison with CSPRB generators 

The fundamental definitions and properties of Cryptographically 
Strong Pseudo- Random Bit ( CSPRB) generators are given in Appendix A. 

It is a theoretical challenge and an extremely useful task to 
find the most general properties of randomness that can be achieved 
by efficient pseudo-random programs. 

Let us consider the effect of such programs on probabilistic 
computation . 

CSPRB generators cut down the number of coin tosses 

Performing a probabilistic polynomial-time computation that re- 
quires k fc random bits is trivial if we are willing to flip coins. 
A very interesting feature of CSPRB generators is that they guarantee 
the same result of the computation by flipping only k coins! 
Poly Random Collection cut down the storage as well 

The existence of poly-random collections allows to successfully 
replace a random oracle ( function) , in any polynomial time computation, 
by k random bits. 

It should be noticed that computing with a random oracle is dif- 
ferent from computing with a coin. In fact, the bit associated with 
each string X/ not only is random, but does not change in time and is 
stored for free! The advantages of the random oracle model are 
clarified by all the applications discussed in the following sections. 

Again, it is trivial (see Appendix C) to simulate a computation 
with a random oracle (function) that is queried on k*- inputs if one 
is willing to use k fc bits of storage. A very interesting feature of 
poly-random collections is that they guarantee the same result of the 
computation by using only k bits of storage! 
Sharing Randomness in a distributed environment 

An additional advantage of our solution is that it enables many 
parties to efficiently share such an f in a distributed environment. 
By sharing f we mean that if f is evaluated at different times by 
different parties on the same input Xr the same value f(x) will be 
obtained. Such sharing is efficient as it can be achieved by an ini- 
tial step which consists of (1) One party flipps k coins; and (2) All 
parties record the result. After this initial step no more coin 
flips or message exchanges are needed. The k bits stored by all de- 
termine a shared function of the poly-random collection. 
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Assume that in "situation" S, some party (processor) pj wants to 
make a random choice so that the other processors will know it. Then 
it will simply compute f(j,S). Because of the "randomness" of f, 
such choices are as good as truly random choices. Note that any other 
processor pi can compute the random choices processor pj did in situa- 
tion S, without any extra communication! 

2. "STORAGELESS " DISTRIBUTION OF SECRET NUMBERS 

2.1 The Problem 

Consider the problem in distributing secret identification numbers 
(ID's) . Every user in the system should receive a secret ID from the 
system, which is easily verifiable by the system, but hard to compute 
by anyone else. An example may be assigning calling card numbers to 
telephone customers. We assume there are no two users with the same 
name. 

A possible solution could be to assign each user U a secret 
randomly selected number r, and store the pair(U,r) in a protected 
data base. This solution requires storage proportional to the number 
of users, which may be very large. Using our random functions, we 
propose a "storageless " solution to this problem. 

2.2 Our Solution 

Let F^ be a poly-random collection, and let the server pick feF^ 
at random. Then, the server assigns each user U, f (U) as her secret 
number. To verify whether (U,n) is a legal pair, the server computes 
f (U) and compares it with n. Now, suppose that Alice has such a 
secret ID and that all of her relatives (Aj ,A 2 etc.), who possess 
their own secret ID's gang up to discover Alice's ID. They try to 
exploit the fact that their names A lf A 2 ...,Ag are similar to hers. 
However, for f picked by the server from a poly-random collection, 
they could not compute f (Alice) given f (A-^) , . . . , f (Ag) . 

This solution requires only k bits of storage, when the number of 
users in the system is bounded by a polynomial in k. 

Notice that this solution also works in a distributed environment. 
If each "branch" of the server has a computer with the (shared k-bit) 
secret s embedded in it, a secret number can be handed out in San 
Francisco and be (locally) verified in Boston. 

2.3 The Correctness Argument: Simulation 

Assume that one-way permutations exists and that g is such a per- 
mutation. Let F={F] C } be a poly-random collection constructed using g 
and let f be a function randomly selected from F k . 
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Assume that A}_,A2, . . . ,Ag have some advantage in guessing f (Alice) 
from f (A]_) , . . . , f (Ag) . Clearly, they could not have such an advantage 
if f were a truely random function. Thus, they can distinguish f 
from a truely random function. This, in turn, provides an algorithm 
for inverting g. 

3. DYNAMIC HASHING 

3.1 The problem 

Consider the problem of hashing a few long keys (names) into 
shorter addresses (abbreviations) , such that with very small proba- 
bility two keys are hashed into the same address. 
The classical purposes of hashing are: 

(1) To save on memory space. (For example, assigning physical memory 
location to variables can be done by applying a hashing function to 
the variable names. This way there is no need to store the variable 
names, which may be long.) 

(2) To allow fast retrieval of keyed information (hashing will help 
in applications where accessing the memory is slower than evaluating 
the function) . 

3.2 Our solution 

In order to present our solution let us first generalize the 
definition of a poly-random collection. Let p^ ( . ) and p 2 (-) be 
two polynomials. A generalized poly-random collection is a collection, 
F={Fp^ (k) } , of indexed and easy to evaluate functions from 
Ip^ into Ip^ (k) such that a function chosen at random from 
F p-^ (k) , p 2 (k) cannot be distinguished in poly(k) time from a random 
function from I pi (k) into (k) . 

Our solution consists of using a function f chosen at random from 
F P]_ (k) ,p 2 (k) as a hashing function, (i.e. key K is hashed into 
address f (K) ) . 

Note that our hashing function is much more roboust with respect 
to polynomial time computation than the Universal Hashing suggested 
by Carter and Wegman[CW]. In their scheme, the adversary picks an 
arbitrary key distribution and the hashing performance (expected 
number of collisions) is analyzed with respect to this fixed distri- 
bution. 

Our scheme performs well even if the adversary does not fix his 
key distribution apriori, but can dynamically change the key distri- 
bution during the hashing process upon seeing the hashing function 
values on previous keys. In other words, even if an adversary can 
pick the keys to be hashed and examine the values of the hash func- 
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tions on old keys, he cannot force collisions. Moreover, the ad- 
versary cannot distinguish the hashing value for a new key from a 
random value. 

The roboustness of our hashing technique, makes it particularly 
suitable for cryptographic purposes. For example. Brassard ([B]) 
has pointed out the advantages of authentication schemes based on 
"cryptographically strong" hashing functions. This them is further 
developed in section 5. 

4. MESSAGE AUTHENTICATION AND TIME -STAMPING 

In this section we will show how to construct deterministic, 
memoryless, authentication schemes which are highly robust, as dis- 
cussed in the following concrete Setting. 

Assume that all the employees of a large bank communicate through 
a public network. As an adversary may be able to inject messages, 
the employees need to authenticate the messages they send to each 
other (e.g. "transfer sum S from account A to account B") . A sol- 
ution may consist of appending to the message m an authentication 
tag which is hard to compute by an adversary. In particular, we pro- •■ 
pose the following. Let all employees have access to authentication 
machines which compute a function f s in a poly-random collection. 
The tag associated with a message m is f s (m) . He can tradeoff 
security for the length of the tag. For example, if one uses only 
the first 20 bits of f s (m) as an authentication tag, then the chance 
that an adversary could successfully authenticate a message is about 
1 in a million. 

To avoid playback of previously authenticated messages, it is 
common practice to use time-stamps. Namely, authenticate m con- 
catenated with date it was sent. So far, time-stamping was only a 
heuristic as an adversary who sees the message m authenticated with 
date D could conceivably authenticate m with another date (say D+l) . 
Using our solution for message authentication, time-stamping makes 
playback provably hard. This is the case as for a random function 
f(x) is totally unrelated to f(x+l), and therefore the same holds 
(with respect to polynomial-time adversaries) for poly-random collec- 
tions . 

Another threat to the Bank's security is the loyalty of its own 
employees . They have the authenticating computer at their disposal 
and can use it to launch a chosen message attack against the scheme, 
so that when they are fired they can forge transactions. Our message 
authentication scheme remains secure even when the employees are not 
trustworthy, if each message to be authenticated is automatically 
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time stamped by the computer. An employee who leaves the bank, 
after having widely experimented with the machine, will not be able 
to authenticate even one new message. 

5. AN IDENTIFY FRIEND OR FOE SYSTEM 

The members of a large but exclusive society are well known for 
their brotherhood spirit. Upon meeting each other, anywhere in the 
world, they extend hospitality, favors, advice, money, etc. Naturally 
they face the danger of imposters trying to take advantage of their 
generosity. Thus, upon meeting each other, they must execute a pro- 
tocol for establishing membership. As they meet in public places 
(busses, trains, theatre), they must be careful not to yield informa- 
tion that can lead to future successful impersonations. They go 
around carrying pocket computers on which they may make calculations. 

Clearly a password scheme will not suffice in this context, as 
the conversations are public. An interactive identification scheme 
is needed where the ability to ask questions does not enable future 
successful impersonations. Note that the questions that A may ask 
member B, must be picked from an exponential range to prevent an 
active imposter from asking all possible questions, receiving all 
possible answers and thereafter successfully impersonating as a mem- 
ber (or to prevent a passive imposter from having a non-negligible 
probability of being asked a question that he overheard the answer to) . 

Using our poly-random collection, we can fully solve this problem. 
Let the president of the society choose a k-bit random string s, 
specifying a function f g in a poly-random collection. Each member 
receives a computer which calculates f s . When member A meets B, he 
asks "z?" where Z£ R I k . Only if B answers f s (z), will member A be 
convinced that 3 is a member. In addition, if the computers that 
calculate f s can be manufactured so that they can not be duplicated, 
then losing a computer does not compromis the security of the entire 
scheme; it just allows one non-member to enjoy the privileges of 
the society. 

6. SOLVING BLUM BLUM & SHUB OPEN PROBLEM 

Blum, Blum and Shub [BBS] have presented an interesting CSPRB 
generator whose sequences pass all polynomial time statistical tests 
if and only if deciding Quadratic Residuosity modulo a Blum- integer 
whose factorization is not known, is intractable. 

'^'a Blum integer is an integer of the form P1P2 where p]_ and p 2 are 
distinct primes both congruent to 3 mod 4 . 
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Notice that, even though a CSPRB sequence generated with a k-bit 
long seed is Pi (k) -bit long, a CSPRB generator and a seed s define an 
infinite bit-sequence b ,b^,... An interesting feature of Blum Blum 
Shub's generator is that knowledge of the seed and of the factorization 
of the modulus allows direct access to each bit in an exponentially 
long bit string (i.e. if k denotes the length of the seed and i £ k, 
then the i-th bit in the string (bj_) can be computed in poly(k) time). 
This is due to the special weak one-to-one one-way function on which 
the security of their generator is based. However, this exponentially 
long bit string MAY NOT appear "random". Blum, Blum and Shub only 
prove that any SINGLE polynomially long interval of CONSECUTIVE bits 
in the string passes all polynomialt time statistical tests for 
strings. Indeed, it may be the case that, given bi,...,bk and 
h-gtf , . . . th^flt ^ it is easy to compute any other bit in the string. 
Another CSPRB generator which possess the direct access property was 
suggested by Goldwasser, Micali and Tong GMT . Their generator is 
also based on a specific intractability assumption ( factoring in a 
subset (of half) of the Blum integer) . Also, it is not known whether 
direct access in the GMT generator preserves randomness. 

The Blum Blum Shub open problem consists of whether direct access 
to exponentially far away bits in their pseudo-random pad is a 
"randomness preserving" operation. Or more generally, whether there 
exist generators which possess such a "randomness preserving direct 
access" property. 

The Blum Blum Shub's generator, when fed with a k-bit long seed s, 
defines a function f in the following way: for each k-bit integer 
X,f s (X) is the X-th block of k bits in the pad. I.e. * f s (X) =b k _ x + 1 . . . 
b^ Recall that the Blum Blum Shub generator is based on the 

intractability assumption of a special permutation and furthermore, 
even under this assumption, direct access was not proved to be a 
randomness preserving operation. As a consequence f s may not be 
"random" . 

We solve the above problem in a very strong sense. In fact we 
construct random functions f, from k-bit strings into k-bit strings, 
given ANY one-way permutation. Having constructed such an f, we have 
virtually constructed the k2 k -bit long string s =f ( 1) f { 2) . . . f ( 2 k ) . 
For the set Cs f } we prove that direct access is a "randomness pre- 
serving" property. 
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APPENDICES 

Appendix A: CSPRB Generators, One-Way Permutations and Yao's Construc- 
tion. 

Following the unpredictable number generators of Shamir [S], Blum 
and Micali [BM] have introduced the notion of Cryptographically Strong 
Pseudo-Random Bit (CSPRB) generators. They have also presented the 
first instance of it, relying on the intractability assumption of the 
discrete logarithm problem. 

Let t be any fixed constant. A CSPRB generator is a deterministic 
program that receives as input a (random) k-bit long seed and outputs 
a k -bit long (pseudo-random) sequence such that the next bit in the 
sequence cannot be predicted in polynomial (in k) time from the pre- 
ceeding bits. Yao [Y] introduces the notion of a polynomial -time 
statistical test and shows that the outputs of CSPRB generators pass 
all polynomial-time statistical tests. He also proves that one can 
construct CSPRB generators given any (weak) one-way permutation. 

Let us be more formal. Let fj<:Ik-> Ik be a sequence of permuta- 
tions such that there is a polynomial-time algorithm that on input 
XeI^ computes f k (x). Let the function f be defined as follows: f(x) = 
f k (x) if X£*k* We sa Y that f is a one-to-one one-way function if for 
all polynomial-time Turing Machines M there is a polynomial P such 
that, for all sufficiently large k 

M(x) fk _1 (*) f° r at l east a fraction 1 o f the xe^k- 

P(k) 

LEMMA l(Yao Y ) : Given a weak one-to-one one-way function, it is 
possible to construct CSPRB generators. 

Sketch of the proof: Given a one-way permutation, f, Yao construct a 
hard to evaluate predicate by taking the exclosive-or of the inverse 
of f on polynomially many points. Namely, 

B k (X 1 ,x 2 , . . . ,x kt )=X0R f k -l(x x ) f k -1 (x 2 ) . . .f k -l(x k t) 
where XOR s is the exclusive-or of all the bits of the string s. 

Appendix B: The Construction of F(from any CSPRB Generator) ( GGM ) 

Let G be a CSPRB-generator . Recall that G is a function defined 

X X 

on all bit strings such that if xeI k ,G(x)=b2_, . . . ,b p ( k ) . With no loss 
of generality, we can assume that P(k)>_ 2k. 

(This is the case since Goldreich and Micali ( GM ) have shown that 
the existence of a CSPRB generator which expand a k-bit long seed into 
a (k+l)-bit output pad, yields the existence of a generator which ex- 
pend a k-bit long seed into a 2k-bit long pad) . 

Let S = S k be defined as follows. S k is the set of all the first 



286 



2k bits output by G on seeds of length k. Then S passes all poly- 
nomial time statistical tests for strings. 

Let xelk be a seed for G. G Q (X) denotes the first k bits output 
by G on input X; G^fX) denotes the next k bits output by G. Let «= = 
"l a 2'"' x t be a binar Y string. We define G^^ . . . (x) =G„ t ( - - ■ (G^ (G ai 
(x))) -••) ■ 

Let x eI k- The function f :I k ~* 1^ is defined as follows: 

For y= yi y 2 !-.y k , f? x (y) =G yiy2> . .^(x) . 

Define F k - {f X } X eIk and F=(F k K 
Note that a function in Fj. needs not be one-to-one. 

The reader may find it useful to picture a function f^-.I^-* ly., 
as a full binary tree of depth k with k-bit strings stored in the 
nodes and edges labelled 0 or 1. The k-bit string x will be stored in 
the root. If a k-bit string is s is stored in an internal node, v, 
then Gq(s) is stored in v's left-son, v-^, and G^(s) is stored in v's 
right-son, v r . The edge (v,v^) is labelled 0 and the edge(v,v r ) , is 
labelled 1. The string f x <y) is then stored in the leaf reachable 
from the root following the edge path labelled y. 

It is easy to see that F satisfies properties (1) and (2) of 
poly-random collections. A proof that F satisfy also property (3) 
(pseudo-randomness) can be found in GGM (Main Theorem) . 



GENERALI ZATIONS 

In some applications, we would like to have random functions from 
I P3(k) -> I P4(k)- E.g. in hashing we might want functions from I k into 
I^q. We meet this need by introducing the collection F={Fj.} defined 
as follows: For xelk' ^x F k *- s a function from Ip-^k) into lp^(k) 
defined as follows. Let y=yj_ . . -Yp 3 (k) • Define f x (y) = r p^(k) G y 1 "*" 
y P (k) (x) » where Tp 4 (k) ( z > are tne first P 4 (k) bits output by G when 
fed input zelj., where G is a CSPRB generator. 

Such an F is also a poly-random collection: properties (1) and (2) 
trivially hold, and property (3) can be proved in a way similar to the 
proof of the Main Theorem in GGM . 

Appendix C: An (unsatisfactory) straightforward simulation of random 
functions 

Assume one needs to be able to evaluate a function that looks as 
if it is randomly selected from H^. One can argue that since he will 
only need to evaluate the function on polynomially many (in k) inputs, 
it is sufficient that he proceeds as follows: 
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Choose a CSPRB generator G and a random k-bit long seed s. This 
choice specifies a k^+l-bit long pseudo-random bit-sequence b^,..., 
b^t+1 that can be used as securely as a truely random pad. Let x^»---» 
Xj denote the chronologically ordered sequence of inputs on which the 
"random function" f has already been evaluated. 

Assume now that f needs to be evaluated on an input y. If y 
for i=l...j, then f(y) is set to be the j+lst block of k consecutive 
bits in the pseudo-random sequence. (I.e. f (y) =bk. j+1. . .b^ • Also, 

y is stored as the j+lst input(storing f(y) is optional). Otherwise, 
if Y = X-^ f°r some i, f (y) is recomputed as the ith block of bits in 
the pseudo-random sequence (or is retrieved from memory) . 

Note that this procedure does not specify a function and thus does 
not meet the theoretical challenge. Furthermore, it wastes storage 
proportionally to the number of oracle queries (inputs on which the 
function has been evaluated) . This is a strict lower bound! If the in- 
puts are randomly chosen they cannot be compressed at all! 

By means of a more clever use of CSPRB generators , our solution 
requires only k bits of storage. Thus it meets both the theoretical 
and the practical challenges. 
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Abstract 

This paper introduces the first probabilistic public-key encryption scheme which combines 
the following two properties: 

(1) Perfect secrecy with respect to polynomial time eavesdroppers: For all message spaces, no 
polynomial time bounded passive adversary who is tapping the lines, can compute any par- 
tial information about messages from their encodings, unless factoring composite integers is 
in probabilistic polynomial time. 

(2) Efficiecy: It compares favorably with the deterministic RSA public-key cryptosystem in 
both encoding and decoding time and bandwidth expansion. 

The security of the system we propose can also be based on the assumption that the RSA 
function is intractable, maintaining the same cost for encoding and decoding and the same data 
expansion. This implementation may have advantages in practice. 

1. Introduction 

Much attention has been devoted recently to investigating the security of cryptographic 
protocols, cryptographic encryption techniques, and digital signatures methods. Still, the most 
important problem in public-key cryptography remains how to encrypt both efficiently and 
securely. 

Key Words: probabilistic encryption, partial information, integer factorization, passive adver- 
saries, chosen cyphertext attack. 
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It is customary to call an encryption system secure, when it is infeasible to recover the 
cleartext x from its encryption E(x). However, this does not necessarily mean that it is infeasi- 
ble to learn some partial information about x from E(x), for jt's of interest In fact, it has 
been pointed out in (]L],[GM]) that for any deterministic encryption scheme E, such as the 
RSA or Rabin's schemes, partial information about x can always be computed from E(x). 
When E is used in cryptographic protocols, finding out this partial infromation can be detre- 
mental to the security of the application, as has been shown for the protocols of "Mental 
Poker" in [SRA] and "Flipping Coins in Many Pockets" in [BD], Moreover, whenever the 
messages to be sent are drawn from special message spaces (e.g. the messages can be expressed 
as known linear combinations of each other) the secrecy of the messages is in question QB], 

M). 

This issue has been rigorously defined and studied by Goldwasser and Micali in [GM]. 
They introduced the notion of a Public-Key Encryption scheme that is polynomially securer, a 
polynomial time adversary can not find one message m whose encodings he can distinguish 
from the encodings of a random message. An equivalent formulation of this security require- 
ment is that after the eavesdropper sees an encrypted message passing in the network, his a 
posteriori probability of computing correctly which message is being sent remains roughly the 
same as his a priori probability of guessing which message is being sent before seeing the 
encrypted message. This implies that seeing the cyphertext does not help the adversary to com- 
pute or guess any function of the cleartext, better than he could have before seeing the cypher- 
text Public key encryption schemes have been proposed that achieve this security criteria if 
the Quadratic Residuosity problem is intractable in [GM], and more generally if there exists any 
trapdoor function by Yao in [Y]. 

These schemes are probabilistic and are computed in a "bit-by-bit" fashion. In other 
words, every message has many possible encodings and every bit of a message is encrypted 
independently. Due to this last propery, these schemes are highly inefficient. If k is the size of 
the security parameter (e.g. the size of the modulos in the RSA encryption function) then each 
bit is encoded individually by a A: -bit long string in [GM] and even worse in [Y], resulting in at 
least a £-bit data expansion factor. Moreover, decoding a single bit in [GM] takes 0{k i ) 
operations. In comparison, the RSA [RSA] or Rabin [Ra] encryption schemes, being deter- 
ministic block-ciphers, where a message is encrypted as a block of bits, transfroms k bits of 
cleartext into k bits of cyphertext using 0{k l ) operations. 

This paper proposes a simple scheme which combines the polynomial security of the pro- 
babilitic schemes ([GM], [G], [Y]) and the efficiency of the deterministic schemes ([RSA] and 
[Ra]). Thus, with no loss of efficiency, this new scheme can be used in applications such as 
Mental Poker[GM2], Coin Flipping in a Distributed Network[ABCGM] or whenever messages 
to be sent come from a special message set and are dependent on one another in a publically 
known way. 



291 



Let k be the size of the security parameter. Then, the new scheme transfroms an /-bit long 

Ik 1 

cleartext into an (/ + k)-\}ii long ciphertext, with a computational cost of 0( -) for encryp- 

log k 

x Ik 1 

tion and of OCP) + 0(- — -) for decryption. When the length of the message / < k our 
log k 

scheme is at least as fast as either the RSA or Rabin schemes and when I > k our scheme is 
actually slightly faster. Most importantly, it is more secure. We prove that the scheme is poly- 
nomially secure, provided that factoring(or inverting RSA) is intractable. 

A High Level Description of Our System 

Our work has gained from and extends the works by Goldwasser-Micali [GM], Blum- 
Micali [BM], Yao [Y], Blum-Blum-Shub [BBS], Goldwasser-Micali-Tong [GMT] and Chop 
Goldreich [CG]. 

The notion of a cryptographically strong pseudo random bit (CSPRB) generator has been 
introduced by Blum and Micali in [BM] and extended by Yao in [Y]. Such a generator is a pro- 
gram which takes as input a A: -bit random seed and produces as output a k'-bit sequence, 
where t > 0 is fixed. The output sequences produced by a CSPRB generator are high quality 
pseudo-random sequences in the following sense: if the k bit seed is totally unknown, they can- 
not be distinguished from truely random sequences of the same length by any statistical test 
which runs in polynomial in k time. 

The key idea in our method will be: to send an /-bit message m, send the exclusive-or of 
m with an /-bit output of a CSPRB generator on a k -bit random input seed S along with a 
public-key encryption of S. Other implementations of this idea using different CSPRB genera- 
tors and different types of encodings of S have been proposed by Blum, Blum and Snub in 
[BBS] and Goldwasser, Micali and Tong in [GMT], but they were not as efficient as our 
implementation and relied on different number theoretic assumtions. 

We show a way to encrypt the seed S for which: 

(1) We prove that sending the encrypted seed 5 along with the exclusive-or of the mes- 
sage and the output of the CSPRB generator on input S, does not compromise the 
apparent "randomness" of the output of the CSPRB generator. (Yao [Y] proved that 
sequences outputed by CSPRB generators are polynomial time indistinguishable from truly 
random sequences, only when the seed is totally unknown). 

(2) The encoding and decoding of the seed S take at most 0(& 3 ) steps and k bits of 
cyphertext, where k is the size of the seed. 

2. Number Theoretic Background 

Let | m | denote log 2 m and Z' N denote the set of positive integers less than N which are 
relatively prime with N. Let (-^-) denote the Jacobi symbol of xEZ^ mod N. Recall that for 
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x€Z' N where the prime factorization of N is N = Up,° 

i 



and, 



(— ) = 1 if x is a quadratic residue mod N and - 1 otherwise 
Pi 

Let N =pq, where p=q=l mod 8. Set QR N = {a | 5 x, x 2 = a mod N}. 

Then, any a 6 QR N has exactly two square roots with Jacobi symbol +1 of the form x and -x 

» N 

in Z N and exactly one square root with Jacobi symbol + 1 which is less than — . Let x be such 

a square root of a^.QR N . 

Define B(a,N) for a €QR N as follows: (1) 

B(a,N) = least significant bit of x 
Recent results by Chor and Goldreich [CG] imply that 

Lemma /[CG]: If there exists a probabilistic polynomial in \N | time algorithm that computes 

B{xJ^) for a fraction 4- + — rvr — rrr of x£QR N where N£H, then there exists a proba- 
2 poly (log N) 

bilistic polynomial in ]#[ time algorithm for factoring N€H. 
They extend Lemma 1 as follows. Let 

B k (ajt) = k' h least significant bit of x where x 2 =a mod N, x < y, and +L 

Lem/na 2 [CG], [W]: Let 1 < y < log log jV. If there exists a probabilistic polynomial in \N\ 
time algorithm that on inputs N€H and SC{i?'(jcjV) | 1 < /' < log log N, i*j}, guesses 

B J (xfl) for a fraction greater than 4- + — rrr — rrr of x(LQR N , then there exists a proba- 

2 poly (log N) 

bilistic polynomial in | iV | time algorithm for factoring N£H. 

3. The Encryption Scheme 

Let the public file of user A contain a composite number N product of two primes p and 
q, both congruent to 7 mod 8. A keeps p and q secret 

Let the security paramter k - log N. Define <7(/,rwV) to be the /-bit boolean vector 

whose /-/-fist bit is B s (r^*\N) where h = l—^—-\ and £ = i-h- log k for 1 < / < /. 



(1) This predicate was first introduced in [GMT] and farther analyzed in [BCS] and fW]. 
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Suppose any user B in the network wants to send an encoding of an /-bit message m €M 
to user A. 
How to Encode m : 

1. Choose r€Z^ at random. 

2. Compute G(I,rJf) using algorithm A below. 

3. set /" = r 2 ** 1 mod N where h = h-^—A 

/ log k I 

4. Let the encryption of m be the pair ( G(l,rfl)&m,f). 
Algorithm A 

input: l,r,N where k = logN. 
output: G(l,r,n) 

1) Let A = rnax-fj I y'-log k > /}. 

2) Forj=0toh-ldo 

Let temp =r L '* 1 mod N 

Fori= 1 to log k, let the /-(/-log k + + l bit of G(l,r,n) be B^lemp, N) 
(namely, the /'* least significant bit of temp). 
Note that the size of the encoding of an /-bit message m is l + k. Computing G(l,rjf) can be 
Ik 1 

done in 0(- — r ) steps, 
log k 

How to Decode 

Let the pair (D J) be an public-key encoding of an / bit message sent to user A. Then, user A 
who knows the factors of N does: 

1. Let h = — - — 2. compute r such that f t+l - r mod N by performing the algorithm 

log k 

B below. 

2. Compute G(l,rJV) using algorithm A above. 

3. Let m = G(l.rJf)QD. 

The cost of decoding is 0(A: 3 ) + 0 (-—■). This is faster than a previous 0(k*) of all pre- 

log k 

vious probabilistic encoding schemes [GM, BBS, GMT]. We achieve this by exploiting the spe- 
cial properties of p and q. We show this in algorithm B below. The main idea is that instead of 
extracting square roots of / mod N at every step of the computation to retrieve G(l,rJV), we 
first compute r in one exponentiation and then compute G(l,r jV) by algorithm A. 

Algorithm B: 

Input: p, q, h and r 5 **' mod N where r€.QR N and k = log N. 
Output: r£QR N 

Running time: 0(k*) operations. 



294 



Let p =&t -hi and q -8/ -hi for some / and /. 

1) Let u =2 h +1)* +1 mod p -1 

2) Let v=2* +1 (/ + D A+1 mod q-l 

(The above exponents u and v can be precompiled on inputs p % q and h -hi alone) 

3) Uta=(^* l ) u mod/> 

4) Let6=(/* 1 )' mod q 

5) Compute c€Z' N such that c=a mod p and c=b mod q using the Chinese Remainder 
theorem. 

6) Output r = c 

Steps 1 and 2 above can be precomputed when the cryptosystem is set up. The cost of 
steps 3 -4 are two modular exponentiations and one gcd computation of k bit numbers. The 
complexity of the naive algorithm for performing these operations is 0( k 3 ). 
Decoding Lemma: The decoding algorithm is correct 

Proof. To compute square roots of a€.QR n , note that (— ) = a*' +3 = +1 implies (a 21 * 2 ) 1 = a 

P P 

mod p. Thus to compute the square root of a mod p which is a square itself, simply compute 
a 21 * 2 mod p. Finally, to compute the 2 h+l -th root of a 2 **' mod N which is a square, compute 
^(r+i)**^** 1 moc j p ^ gtf+i)*'^** 1 moc j ^ m £ chimes reminder of the results mod 

pq. The exponents (/ +l) h +' L 2 h + l mod p -1 and (1+ i) h + l 2 h + l mod q -1 do not depend on r 
and can be precomputed, knowing p, q and the length of the message. 

4. Security Analysis 

4.1 The Model 

Let M be any message space. We think of the sender as a stochastic process which pro- 
duces m€M in accordance with a polynomial time computable system of probabilities. Thus 
every m €M has an a priori probability of being sent. The adversary knows and can compute 
the probability distribution of the message space. When he intercepts the cyphertext he can cal- 
culate from it a set of a posteriori probabilities of the various messages which may have pro- 
duced this cyphertext Shannon defines a cypher to be perfect secure if: after the adversary 
intercepts the cyphertext the a posteriori probability of the cyphertext representing some mes- 
sage must be the same as the a priori probability of the same message before interaction. 

We adopt Shannon's perfect secrecy criteria to polynomial time bounded adversaries. See 
also [GM] and [Y]. 

Let k be the security parameter of our system. We think of a public-key encryption 
scheme as a probabilistic, polynomial time algorithm n that receives k as input from each user 
in the system, and outputs a pair of polynomial in k time computable encryption and decryp- 
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tion algorithms E:M-*C and D:C-*M where C is the set of cyphertexts. The encryption 
algorithm E may be probabilistic. We let E(m) denote the set of possible encodings of m€.M. 
Note that when E= RSA, E{m) is unique for any m€M. 

The measure of security we would like to enforce is the following. 
Informally, no polynomial time passive adversary which can compute x£E{m) for any m£M, 
should be able to come up with even one message m whose encodings he can even distinguish 
from the encodings of a random message r£M. This implies that seeing an encryption of a 
message does not help the adversary to compute or guess with any significant advantage any 
partial information about the message itself. 

Formally, Let A be a polynomial time, probabilistic algorithm that takes as input a 
description of E and outputs a message m E A £M. Let B be a polynomial time, probabilistic 
algorithm that takes as input x€E(m) and outputs 1 or 0 (this is B's guess as to whether 
m=m EA or not). Note that B may even know m E A . Let p m denote the probability that B 
guesses 1 on x£E(m) (the probability here is taken over the encodings x£E(m) and B's coin 
tosses). 

Definition: We say that n is polynomially secure if for all M, for all A, B, for all polynomials 

J_ 
Q(k) 
generated by II. 

This notion of security was introduced by Goldwasser and Micali in [GM]. Another notion 
of security was later proposed by Yao[Y] using time-bounded information theory. Rackoff [R] 
showed the two notions equivalent, providing some evidence that polynomial security is the 
correct notion for security for a public-key cryptosystem. 

4.2 Proof of Security 

Factoring Assumption (FA): Let F* denote be the fraction of k -bit integers factored by proba- 
bilistic, polynomial in k time algorithm A . Then, for all polynomials Q, for sufficiently large k. 



Q, for all sufficiently large k, | p - p r | < n{t ^ for a random r€M and random E 



* Q{kY 

Theorem: The FA implies that the scheme described in section 3 is polynomially secure 
Idea of the proof: Let II be public-key encryption scheme that produces encryption algorithms 
of the form we proposed in section 3. Namely, a user in the system gives input k to II and 
receives in return two k-bit prime numbers p and q such that p=q~l mod 8. The user publi- 
cizes N = pq and keeps p and q secret To send the user messages one encodes as we sug- 
gested in section 3. For the duration of the proof, lets denote this encryption algorithm by E N , 
and the set of possible encryptions of message m by E N (m). 

Now, suppose for contradiction, that for some pair A,B of polynomial-time probabilistic algo- 
rithms and for some polynomial Q, for infinitely many k, on a random E N output by II on k 
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By assumption, | p„ - p R | > nn ^ . Without loss of generality, let 
■ m p R > -7777^-. By the weak law of large numbers, in polynomial in Q{k) number of 



and a random r€M, algorithm A on input E N outputs an m A£ €.M such that 

Pick a k for which (a) holds. Assume without loss of generality that for all mGW, \m \ = I 
and / < P(k) for polynomial P. Pick a random N (product of two A: -bit primes p and q such 
that p=q=l mod 8) whose factors you don't know. Input N to algorithm A to receive 
m E.A Now, let's define two types of experiments. 

Type (1): Pick x£QR N at random and an /-bit random R. Let h-ma\{J | y'-log k > I}. 
Feed algorithm 5, jr** 1 mod N and R 0 G{l,x,N) (i.e a random member of E„(R)). The 
probability that B answers 1 here is p R . 

Type (2): Pick x€QR N at random. Feed algorithm B, x 2 **' mod N and m AX Q G(l,xjf) (i.e 
a random member of E„(m A£ )). The probability that B answers 1 here is p„ . 

I 

Q(k) 

_i 

Qik) 

type (1) and type (2) experiments we can estimate p and p R . 

We now use a combination of the proof techniques of Goldwasser and Micali in [GMJ and 
Yao in [Y]. Let the /-type experiment be defined as follows. Feed algorithm 5, r 2 *" mod N 
and G(l,r,N) + rrij where m { consists of the concatenation of the first / bits of m A£ and / — / 
random bits (i.e. feed B a random member of Let Pi be the probability that during 

the /-type experiment B outputs 1. (this probability is taken over 5's coin tosses, choices of r 
and the /-/' random bits). There must exist an 1 < / < / such that p i+l - />,■ > l/lQ(k) and 
it can be found by running a polynomial in l-Q(k) number of /-type experiments and Z+l- 
type experiments for all 1 < / < /. Say we found such an /. There are two cases to look at: 
/ < log k and / > log k. The first case yields a method for predicting B'(x,N) with probabil- 
ity greater than | on inputs N and {B j (x,N) | 2 < j < 1} , which by lemma 2 implies 

a probabilistic factoring algorithm for N£H. This contradicts the factoring assumption. In the 
second case / > log k . The rest of the proof deals with this case. Pick an a in Z' s such that 

(-^)=-l. Let G consist of the concatenation of G(i,a 2 ,N) with /-/ random bits. Let 

/!'-max{/ I y'log k > I}. Feed algorithm B as input, a 2 "*' mod N and G & m° where m° 
consists of the concatenation of the first / bits of m A£ ,0, and l-i-l random bits. Denote B's 
output by t 0 . (Note that this is an /-type experiment). Now feed B with a 2 * +1 mod N and 
G + m l where m l consists of the concatenation of first / bits of m A E ,1, and l-i-l random 
bits. Denote 5's output by b h (Note that this is an / + l-type experiment). Let j = log k and 
let denote the i+Vst bit of m A£ . If b§=b x then choose at random c£{0,l} and predict 
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that B'(a,N) = c, otherwise let c=Ob 0 -hl-b 1 and predict B'(a,N) - b i+] Qc. The probabil- 
ity of predicting B'(aJV) correctly according to this rule is greater than ~ + * . This 

2 Q(k)l 

yields by Lemma 2 a probabilistic time algorithm for factoring N£H, which again contradicts 
the factoring assumption. 

5. Eficiency Analysis and Comparison 

Let k be the security parameter (i.e. the size of the composite number in the public file). 
To send an k bit message m where k = log N using RSA requires 0(k 3 ) operations to encode 

and decode and k-bit long encryption. In our scheme encodins requires 0( — ) operations, 

log k 

, ]A 

decoding requires 0{k } ) + 0{- — — ) operations and the encryption of a fc-bit message is 

log k 

2^-bit long. 

Note that the time bounds for RSA encoding and decoding have been calculated for 
RSA(x) = x s mod N where Ks <<p(N) is picked at random as proposed in the original RSA 
paper. It has been suggested to let 5=3, then encoding is of k z complexity, while decoding still 
remains of k 1 complexity. However, Blum in [B] and Hastad in [H] point out a problem arising 
with s=3(or any s < log k) : if the same message is sent encrypted to 3(s respectively) 
separate people in the network each owning his own N h then an adversary tapping the lines 
can decode the message. 

6. Other models of adversaries 

The security analysis performed in section 4 was done with respect to passive adversaries. 
However, the scheme descibed above is not secure against more powerful than passive adver- 
saries such as adversaries which can perform chosen cypher text attacks(CCA). In this attack, 
the adversary may have temporary access to the decoding equipment, afterwhich he tries to 
decode. No public key encryption scheme has been proved secure against such an attack even 
under the assumption that certain number theoretic problems are intractable. 

On the other hand, no effective way of inverting the RSA function using a CCA on the 
RSA public-key-cryptosystem is known. We can modify our scheme to achieve the same secu- 
rity against CCA, as the deterministic RSA cryptosystem. We do this by modifying our system 
to be based on the assumption that the RSA function is intractable. This implementation main- 
tains the same cost of encoding and decoding, same data expansion, and the same security 
against partial inform ation attacks as our factoring based scheme. In addition it is as secure 
against CCA as the deterministic RSA system. We briefly describe this implementation in sec- 
tion 7. 

Note that what we are interested in is an encryption scheme which is 1-pass. That is, to 
send a message to user A we need only look up his public file, compute the encryption of our 
message and send it, and there is no need of further interaction with A. Solving the problem of 
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public-key encryption which is secure against chosen-cyphertext attacks using a 2-pass system 
(where to send a secret message to A two levels of interaction are allowed) is much easier and 
can be achieved. 

7. Implementation of the Scheme based on RSA intractability assumption 

Let jV denote the modules in the RSA scheme. That is N - pq where p and q are primes 
of the same size. Let the public file of user A contain such a composite number N whose fac- 
tors p and q only A knows. Let 5, denote the inverse of 3' mod <p(N) for Ki<<p(N). Let 
k = log N. 

Define G(l,r,N) of section 4 to be an /-bit vector whose + bit is the 

i - log k( , ' , least significant bit of r 3 ' mod N where /- /, , / Note that computing 
UogtJ Uog k] 

Ik 1 - 

G(l,rfl) can be done without knowing the factors of N in 0( r ) time. 

log k 



To encode m where \m \ - I: pick r(LZ' N at random, compute G(/,/vV), let h=f—t- 

jlog 



and / = a 3 ** 1 mod N, let the encoding of m be the pair ( G(l,rJV)@m,f). 

To decode (Z)/) where \D\ = I, recall that s h+l i h+1 mod <p(N)=l. Compute r = f" 
mod N, compute G'(/,/JV), and let m = G(I,rtf)@D. 



8. Remarks and Open problems 

This paper presented a probabilistic encryption scheme which is secure against all partial 

information attacks in presence of passive adversaries, provided factoring is hard, whose cost of 

encoding and decoding is fast, and has constant factor data expansion. An interesting open 

question remains: 

i N x 

Given x l mod N, are % of the bits of x such that x < — and (-^-) - +1 as hard to 

compute as xl If so, then one may build an extremeley efficient encryption scheme which 
requires only 2 multiplications to encode, and is secure against all partial information 
attacks. 
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Abstract — We prove that RSA least significant bit is ^ + 7^77 secure, for any constant c (where 
N is the RSA modulus). This means that an adversary, given the ciphertext, cannot guess the 
least significant bit of the plaintext with probability better than £ + Uf'N ' un ' ess ne can break 
RSA. 

Our proof technique is strong enough to give, with slight modifications, the following related 
results: 

(1) The log log AT least significant bits are simultaneously j + r^jj secure - 

(2) The above also holds for Rabin's encryption function. 

Our results imply that Rabin/RSA encryption can be directly used for pseudo random bits 
generation, provided that factoring/inverting RSA is hard. 



1. INTRODUCTION 

Given a secure public key cryptosystem [7], it is hard to recover the plaintext x from its 
encryption, E[x). However, this does not necessarily mean that a cryptanalyst cannot gain some 
partial information about 1 without actually computing it. The ability to derive partial informa- 
tion can render a cryptosystem useless in specific applications (e.g. mental poker [18], [13], [11]). 
For example, even a moderate ability of guessing the least significant bit of the plaintext may be 
a threat to security. 

In the current state of knowledge we are unable to prove even the existence of secure public 
key cryptosystems. However, under reasonable assumptions on the computational complexity 
of certain problems, secure public key cryptosystems do exist and can be explicitly constructed. 
One of the most fascinating questions regarding those systems is "what partial information about 
the plaintext is hard to extract from the ciphertext?" 

This question was rigorously defined and studied, with respect to probabilistic encryption, by 
Goldwasser and Micali [11]. They constructed a public key cryptosystem which leaks no partial 
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information. However, their system encrypts messages by expanding each plaintext bit into a 
ciphertext block, making it undesirable from a practical point of view. 

The RSA [16] is the most widely known public key cryptosystcm, and probably the first one 
which will be used in practice. It has been an open problem to demonstrate a predicate, P{-), 
such that having any advantage in guessing P(x) given the encryption of x, is as hard as inverting 
RSA. 

In this paper, we show that RSA least significant bit is | +■ e secure for any polynomial 
fraction e (f -1 = 0(log c N)), where iV is the RSA modulus. With a small modification, our 
proof technique also allows us to show that log log N of RSA bits are simultaneously ^ + [ og i 
secure. I.e., if RSA is indeed secure, then no heuristic which runs in polynomial time can get 
information about any function of these plaintext bits, given the ciphertext. Hence these bits 
provide instances of secure partial information for RSA. 

Our results have important implications for generating sequences of cryptographically strong 
pseudo-random bits. RSA encryption E can be directly used for generating such sequences by 
starting from a random seed s and iterating E on it. 

Slightly modifying our proof techniques, we also prove the same strong bit security for Rabin 
public key scheme [15]. This implies a fast and "direct" pseudo-random bits generator which 
is as hard to crack (distinguish its outputs from truly random strings) as factoring. Important 
consequences follow also w.r.t the probabilistic encryption scheme of Goldwasser & Micali [11] 
(see section 8.2). 

Organization of the paper : In section 2 we formally define the question of security for 
RSA least significant bit and cover previously known results. In section 3 we sketch the proof of 
Ben-Or, Chor & Shamir result, and in section 4 - its improvement by Schnorr & Alexi. These two 
investigations are the basis for our work, which is described in section 5. Section 6 extends our 
proof to other RSA bits and section 7 - to bits in Rabin's scheme. Section 8 contains concluding 
remarks on the applications of our results for the direct construction of pseudo-random bit 
generators and probabilistic encryption schemes. 

2. PROBLEM DEFINITION AND PREVIOUS RESULTS 

The RSA encryption function is operating in the message space Zn, where N — pq is the 
product of two large primes (which are kept secret). The encryption of x is En{x) = x' (mod N), 
where e is relatively prime to ip(N) = (p — l)(q — 1) . For 0 < x < N, L(x) denotes the least 
significant bit in the binary representation of x. 

Let On be an oracle which, given En{x), outputs a guess for Hx) (this guess might depend 
on a random coin used by On)- Let p(N) be a function from integers into the interval [j, 1]. 
We say that On is a p(W)-oracle if the probability that the oracle is correct, given Eh{x) as its 
input, is p(N) (the probability space is that of all i£7„ with uniform distribution and -if On 
uses a random coin- also of all 0 — 1 sequences of coin tosses with uniform distribution ). 

We say that RSA least significant bit is p(iV)-secure if there is a probabilistic polynomial 
time algorithm which inverts En, using queries of any p(JV)-orac!e On- Since an unbiased coin 
can be used as an j-oracle, the best possible security result can be g + c security for any e -1 = 
poly[logN) (j security means RSA is breakable). These notions originate From Blum & Micali's 
work [5], where they have been stated w.r.t the discrete exponentiation function. 
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Goldwasser, Micali and Tong [12] showed that the least significant bit is as hard to compute 
as inverting the RSA. Furthermore, they showed that it is (1 — | 0 g>/ )-secure. 

Ben-Or, Chor and Shamir [lj showed a \ + £ security (e -1 = poiy(logN)). They presented 
an algorithm which inverts the RSA by carrying out a gcd calculation on two multiples of the 
ciphertext and using any (| 4- e)-oracle. Sampling the oracle they amplified its J + e advantage 
to "almost certainty", for a polynomial fraction of the massage space. 

Vazirani and Vazirani [19] improved the result using a novel oracle-sampling technique. They 
proved that their modification is guaranteed to succeed when given access to any 0.732-oracle. 

Goldreich [9] used a better combinatorial analysis to show that the Vazirani & Vazirani 
modification inverts even when given access to a 0.725-oracle. He also pointed out some limitations 
of the Vazirani & Vazirani and similar proof techniques. 

Schnorr and Alexi [17] introduced a conceptual change in the way the oracle is used. This 
enabled them to greatly improve the result showing that the least significant bit is (j +c)-secure 
for any constant £ > 0. Their result still leaves a gap towards the optimal \ + po<y ( 1 > og N ) security. 

3. A SKETCH OF BEN-OR CHOR AND SHAMIR ALGORITHMIC PROCEDURE 
The essence of the Inverting Algorithm: 

Given an encrypted message, En(x), the plaintext x is reconstructed by performing a gcd 
algorithm on two small multiples of it (small means in the interval \-^-, Ap] (mod N) ). A 
special binary variant is used for the gcd algorithm. To operate, this variant needs to know the 
parity of the absolute value of 0(log 2 N) small multiples of the plaintext. Thus, it is provided 
with a subroutine that determines the parity of these multiples. 

Determining Parity using an Oracle which may err: 

The subroutine determines the parity of a small multiple d = kx, of the plaintext ,x, by using 
an p(iVj-oracle for RSA's l.s.b as follows. It picks a random r and asks the oracle for the least 
significant bit of both rx and rx + d, by feeding it in turn with Sw(ri) = En(t)En(x) and 
En{(t + k)x) — £jv(r + k)E{^(x). The oracle's answers are processed according to the following 
observation. Since d = kx is "small", with very high probability no wrap around 0 occurs when 
d is added to rx. Then, the parity of |ef| is equal to 0 if the least significant bits of rx and rx + d 
are identical; and equal to 1 otherwise. This is repeated many times; every repetition (instance) 
is called a rf-measurement. Note that the outcome of a rf-measurement is correct if the oracle 
was correct on both rx and rx + d (the outcome is also correct if the oracle was wrong on both 
queries, but this fact is not used in [l]). 

(Trivial) Measurement Analysis: 

A rf-measurement is correct with probability at least 1 — 2(1 — p) = 2p — 1. 
(This suffices if p = f + £.) 

4. A SKETCH OF SCHNORR AND ALEXI IMPROVEMENT: £ + £ FOR ANY 
CONSTANT e 

Schnorr & Alexi [17] improvement is based on trying all possibilities for the least significant 
bit of L — 0(log log N) random, independent positions u\ = r,x and using these positions as 
"end points" in all measurements for the 0(log i N) d's of the binary gcd algorithm. This way 
the oracle is queried only about one end-point of each measurement and the error is caused by 
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single position queries rather than by pairs of positions. This enables the error probability per a 
single measurement to be approximately the oracle's error, rather than twice this magnitude as 
in Ben-Or, Chor & Shamir. Using the Tact that the L positions are independent, Chernoff bound 
implies that the error probability in deciding the parity of d by the majority of d-measurements is 
2 -C2(L« J ) <• i ^ ( nere t j s a constant). This guarantees that the accumulated error probability 

in deciding the parity of all O(log 2 N) d's in the modified binary gcd algorithm is < small 
enough to put the algorithm in random polynomial time. 

Note that the running time of Schnorr & Alexi's algorithm is exponential in L. On the other 
hand, the probabilistic analysis requires that L = n( '° g |,° g ^ ). Thus, £ can not be replaced by 
any function which tends to 0 with N — ► co. 

5. OUR MAIN RESULT 

In this section we prove that RSA least significant bit is £ + po(i> ^ 1 og N ^ secure. 

Let On be. an oracle Tor RSA least significant bit whose error probability is j — e, where 
e- 1 < log' N. 

Instead of picking 0(log log N) random independent positions, we generate L — 0(log 2e+3 JV) 
random positions which are only pairwise independent, such that we know (with very high 
probability) the least significant bit of each. As in Schnorr and Alexi's work, we query the oracle 
only about one end-point of each measurement and use the same "decision by majority" idea. 
Since the positions are not independent, Chernoff bound cannot be used in our case. However, 
since the points are pairwise independent, Chebyshev's inequality still holds. It gives an O(j^j) 
upper bound on the error probability. With L being so large, this error is sufficiently small. 

Generating L "random" positions knowing their least significant bits 

We generate L positions by picking two random independent variables y,z £ Zu and trying 
all possibilities for their least significant bits and location in one of the intervals (t + 
0 < i < L 3 . There are (2L 3 ) 2 possibilities altogether, and exactly one of them is correct. Let 
us now assume that we are dealing with the correct choice, i.e. both least significant bit and 
approximate magnitude of y, z are known. The positions we'll look at are to,- = y+iz (mod N) for 
i— 1,2,.. ,,L. Notice that w,- is a random element in Zn with uniform probability distribution. 
Since the location of both y and z are known up to £j, the location of w,- = y + iz is known 
up to ^ + iAr < ^r. The probability of w { to be within an interval of length ^ containing 0 
(mod N) is exactly If u;, is not in such interval, then its least significant bit is determined 
by t and the least significant bits of z and y. Therefore we get 

2 

Pt{ least significant bit of u>,- is unknown) < . 

Determining parity using the generated positions and the oracle 

Let d S Zfj be any fixed "small" number (one of those generated by the gcd procedure). In 
order to determine the parity of we'll query the oracle about all points of the form to,- + d, 
XOR the answers with the (known) least significant bits of the corresponding and take the 
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majority. ^sing Chebyshev's inequality, we'll get a bound for the probability that the majority 
of the oracle's answers will be biased to the wrong direction. 

Error analysis : 

Suppose d 6 Z n is any "small" number (in the interval ^]). For a random r € Zn, 

the probability that a wrap around 0 (mod TV) occurs when d is. added to r is no greater than j. 
Hence if \d\ is even, the probability that On, ° n input En{t + d), gives the same answer as the 
(true) least significant bit of r is at least 5 + «- f = 5 + 5- Similarly, if \d\ is odd, then with 
probability at least 5 + f, On answer to the least significant bit of r + d is different than the 
least significant bit of r. By the above discussion, we get 

Pr[v>i + d did not wrap around and On is correct on it) > ^ + - , for every t . 



Define 



_ ( 0 if vii + d did 
' ll otherwi 



did not wrap around and On is correct on it and w< l.s.b. is known 
otherwise 



Hence 



Pr(& = 0) > Pr[wi + d did not wrap around and On is correct on it) 

— Pr(wi least significant bit is unknown) 

^ 1 £ 2 

> — I 

-22 1? 

>_ + _ {{0TL> yJ-). 

Therefore, Exp(si) = Pr(f, = 1) < 1 - f and 

Var{u) = Expitf) - Exp 2 ( U ) = Exp(u) - Exp 2 ^) = £*p(fi)(l - Exfo)) < \ 
Since Exp(^) < £ - J, we get 



]T ft - Expia) 



4 



We can apply Chebyshev's inequality (see Feller [8, p. 219]) and get, 



Pr 



7 ]C ~ 



(«/4)» ' 



Since y and 2 are independent random variables and y + t'z, y + j'z are linearly independent for 
t 7^ ji, then u;» and Wj are also independent random variables for any t j& j. Therefore, for any 

'Notice that this decision procedure is exactly the one employed in Ben-Or, Char & Shamir. The crucial difference 
is that they had to use the oracle's answer to find tu,'s least significant bit, while we know it beforehand (with 
overwhelming probability). 
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i 7^ j, f, and jy are also independent random variables with identicaWistribution. (Whenever the 
same function is applied to two independent random variables, the. two results are independent 
random variables). Let £ = ft— Exp(^). By pairwise independeneidSaspfft-^) = ExpfcYExpffi). 
Hence, 

Thus the probability that £ f, > | is smaller than But Pr^ fi > 2) is «««tly 

the error probability Tor a single d. We query at most log 2 N d's in the course of the gcd 
computation and thus the error probability (for one binary gcd) is bounded by 

log 2 N • Pr{ error for a single d). 

Taking L = log 2c+3 N , the overall error probability is bounded from above by 

2 4 Alog^N _ 4 

° S ' L£ 2 - log 2 <+ 3 jV(log 2 < JV)~i ~ log N' 

Hence we can recover the original message in random polynomial time, as desired. This implies 
Theorem 1: RSA least significant bit is (| 4- ) I ^ -secure, for any constant c. 

6. OTHER RSA BITS 

Our proof technique easily extends to provide strong security results for several other RSA 
bits. In particular the following holds: 
Theorem 2: 

a) Let / C [0, N] be an interval of length N/2. The J bit of x is the characteristic function of I 
(i.e. 1 if x S / and 0 otherwise). This bit is (j + log * ^ j-secure. 

b) Let k — 0(log log iV). The fc-th bit in the binary expansion of the plaintext is is ^ + | og l ^ 
secure. 

c) Let k = O(loglogW). The plaintext's k least significant bits are simultaneously secure. 
I.e., even if all least significant bits x^-i, ■ ■ ., 12, zi are given together with E^(x), still is 

d) All bits in the binary expansion of x (except maybe the log log N most significant ones) are 
(4 "*" log' jv )-secure. At least half of them are + j^p-j^J-secure. 

Proof sketch : 

(a) and (d) follow from Theorem 1, by reductions due to Ben-Or, Chor and Shamir [l]. 

1 Equivalent!y, given £iv(z) distinguishing between n- • x 2 xi and a randomly selected string of length k is as hard 
as inverting the RSA. This equivalence is due to Yao [21]. 
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f>) First note that using our proof technique, it is possible to guess all k least significant bits of y 
and z. This determines all k least significant bits of each to*. 

Apply the gcd procedure to two small multiples of the plaintext, the greatest common divisor 
of which is 2 k . This way all d's in the gcd calculation will have zeros in all k — 1 least significant 
bits. Replace all reference to the least significant bit, in the inverting algorithm (presented in 
section 5), by references to the fc-th bit. Note that this time we have access to an oracle to the 
k-th bit. 

(This method of transforming certain inverting algorithms which use an oracle for the 1-st bit into 
inverting algorithms which use an oracle for the fe-th bit originates from Vazirani and Vazirani 
[19].) 

c) Going through the proof of Theorem 2(b), notice that when querying the oracle about the 
fc-bit of Wi + d we can give it the k — 1 previous bits of tu; + d. (The latter are equal to the k — 1 
least significant bits of Wi, which we know!) 

(Vazirani and Vazirani [20] had previously shown that, certain inverting algorithms which use a 
p(N) oracle for RSA least significant bit, can be transformed into inverting algorithms which use 
a p{N) oracle for predicting Xk (given x^-i, ■ ■ zi). It turns out that the inverting algorithm 
of section 5 falls into the above category; this yields an alternative (but much harder) way of 
proving Theorem 2(c).) 

7. BITS EQUIVALENT TO FACTORING IN RABIN'S ENCRYPTION FUNC- 
TION 

7.1 Previous Results 

The Rabin encryption function is operating in the message space Zn, where JV = pq is the 
product of two large primes (which are kept secret). The encryption of z is Em[x) = i 2 (mod N). 
The ciphertext space is Q N = { y| 3x y — x 2 (mod N) }. Rabin [15] has shown that extracting 
square roots ("inverting E^") is polynomially equivalent to factoring. 

Note that the function Em defined above is 4 to 1 rather than being 1 to 1 (as is the case in 
the RSA). Blum [2] has pointed out that if p = g = 3 (mod 4) then E N induces a permutation 
over Qm- These N's will hereby be called Blum integers. Goldwasser, Micali and Tong [12] have 
presented a predicate the evaluation of which is as hard as factoring. Specifically, they showed 
that if p = 3 (mod 4) and p = q (mod 8) then factoring N is polynomially reducible to guessing 
their predicate with success probability 1 — ^ N . 

Ben-Or,Chor and Shamir [1] considered the same predicate. Using a modification of their 
RSA techniques they showed | + e security for this predicate. Their modification requires that 
N be a Blum integer and furthermore that there exists a small odd number I (I = 0(log e N)) 
with (jj) = —1. Its correctness proof makes use of non-elementary number theory. 

7.2 Our Result 

We transform our RSA security result into a similar result for the Rabin encryption function. 
Our transformation is simpler than the one used in [1], and its correctness proof is elementary. 
Furthermore, it holds for any Blum integer. 

Let jV be a Blum integer, S N = { x\0 < x < f } and M N = { i|0 < x < f & (^) = 1}. 
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Redefining En for x £ Mn as 

!N 
x 2 (mod N) if x 2 (mod AT) < — 
—i 2 (mod JV) otherwise 

makes En a 1 — 1 mapping from Mn onto itself, without losing the intractability result of Rabin. 
I.e. factoring N is polynomially reducible to inverting En- Let L(x) be the least significant bit 
of x. 

The main idea in the reduction (as in the RSA case) is to pick L positions Wi £ Sn which are 
uniformly distributed in Sn and pairwise independent, such that their least significant bits are 
known. Some difficulties arise, but they can be taken care off (see [6]). We get 
Theorem 3: The least significant bit for the modified Rabin encryption function is (j + j og ' jy )- 
secure, for any constant c. 

Corollary: Factoring a Blum integer, JV, is polynomially reducible to guessing L(x) with success 
probability 5 + log l N when given E N {x), for x G Mn- 

The proofs from the previous section about simultaneous security of log log N least significant 
bits and of bit intervals (for intervals of length ^ out of the ^ long interval containing Mn) 
hold here just as well, thus all these bits are also 5 + [ og ' c N secure. 

8. APPLICATIONS 



8.1 Direct Construction of Pseudo-Random Bit Generators 

A pseudo- random bits generator is a device which "expands randomness". Given a truly 
random bit sequence s (the seed), it expands it to a longer pseudo- random sequence. The question 
of "how random" this pseudo- random sequence is depends on what exact definition of randomness 
we are after. A strong requirement is that the expended sequence will pass all polynomial time 
statistical tests, namely given a pseudo-random and a truly random sequences of equal length, no 
probabilistic polynomial time algorithm can tell which is which with better than 50 — 50 success 
(this definition was proposed by Yao [21], who also showed it is equivalent to some other natural 
definitions like unpredictability). 

Blum and Micali were the first to construct such strong pseudo-random generators. Their 
construction combines two results: 

a) If 0 : M — ► M is a 1 - 1 one way function, and Bn[x) is j + e secure bit for g (where e = any 
polynomial fraction), then starting with a random a 6 M, the sequence obtained by iterating g 
and outputting 6, = B[g t {a\) for each iteration is pseudo random (in the sense that each of its 
bits can not be predicted better than 50-50, from the previous ones). 

b) Demonstrating that a specific bit is | + e secure for the discrete exponentiation function. 
We say that a generator is direct w.r.t the (underlying) one way function g if it produces at 

least one bit per one iteration of g. We say that a generator is strong w.r.t an (assumed) intractable 
problem, P, if distinguishing its output from truly random sequences is as hard as solving P. 
Notice that both the Blum & Micali generator and the Long & Wigderson generator 1 ([14]) are 

'Long & Wigderaon's generator produces loglogp bits per each iteration of the discrete exponentiation (mod p) 
function. This ia due to their proof that this function has loglogp simultaneously hard bits. 
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direct w.r.t discrete exponentiation and strong w.r.t discrete log. 

Another direct generator was conslnicted by Ilium, 111 uni and Shub [,'!]. Their generator is 
direct w.r.t squaring modulo a composite number and was proven strong w.r.t deriding quadratic 
result! ocity. 

Yao [21] made some generalizations to the Blum & Micali result, lie showed that, having a 1 — I 
one way function / is enough and it is not necessary to have a specific secure bit. The main idea 
is that iT / is one way then some bits must be secure (even though not necessarily 2 + c secure). 
Picking a polynomial number of random seeds { ay^ }, we get one strongly pseud 0- random bit b,- 
by computing 

®®/>i(/*(*y.*)) 

(tfy(s) is the j-th bit of s 0 is the one bit XOR or the result.) 

Yao XORing trick works for any 1 — 1 one way function, /, but the generators achieved that 
way are not direct w.r.t / - to produce one bit, many applications of / are needed. I''or further 
details on Yao's XORing trick and its proof consult Coldwasscr [10]. 

All previously known results about the cryptographic security of llabiu/RSA scheme 
(including Schnorr & Alexi result) do not suffice for constructing generators which arc 
strong w.r.t factoring/inverting the RSA and direct w.r.t Rabin/RSA encryption 
function. 

With I + po i v } 0|i ^ security, we can finally get generators which are direct w.r.t Rabin/RSA 
encryption function and strong w.r.t factoring/inverting USA. liach or the bits whose ^+^171^77 
security is proven can be used as the "hard bit" the generator outputs. As a matter of fact, 
with the stronger result that all log log N least significant bits are simultaneously 5 + pe x y \ ot ^ 
secure, we can get log log N random bits per one application of the encryption function. Since 
the encryption in Rabin scheme is just one squaring and one subtraction, we get a very fast 
generator, whose security is equivalent to factoring a [.Mum integer 1 . 

Using our techniques, Vazirani and Vavsirani [20] have pointed out that the Blum, Ilium and 
Shub [.1] generator is strong also w.r.t. factoring Blum integers. 

8.2 Direct Construction of Probabilistic Encryption Schemes 

Observation, similar to the ones of section 8. J, apply to the probabilistic encryption scheme 
suggested by Goldwasscr ami Micali [llj. Using our result we introduce the first direct prob- 
abilistic encryption equivalent to factoring/inverting RSA. However, this implementation still has 
the bandwidth expansion drawback; the plaintext is expended by a factor of 0{i~fc£~fj). 

Recently, Blum and Coldwasscr [4] used our result to introduce a new implementation of 
probabilistic encryption, equivalent to factoring, in which the plaintext is only expanded by a 
constant factor. Goldwasser's scheme is approximately as efficient as the RSA while provably 
leaking no partial information, provided that factoring is intractable. 
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INFORMATION THEORY WITHOUT THE FINITENESS ASSUMPTION, I: 
CRYPTOSYSTEMS AS GROUP-THEORETIC OBJECTS 
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1. INTRODUCTION 

This paper gives a definition of cryptosystem in terms of 
confusion, diffusion and replacement. This definition lends itself to 
infinite, as well as finite, structures, and the notion of group 
appears to play an essential role in it. We offer three theses for 
discussion. The first is that all known cryptosystems fit the 
definition. The second is that (Shannon) confusion amounts to left 
composition of a cryptographic relation with a message and left action 
of a cryptographic relation on a message, as well as that (Shannon) 
diffusion amounts to left composition of a message with a 
cryptographic relation and left action of a message on a cryptographic 
relation. The third is that what Shannon calls mixing cannot occur 
unless a certain type of "nonassociativity" , or at least lack of 
adherence to some algebraic laws, is present in the descripton of a 
cryptosystem in accordance with this definition. 

The three theses are supported by examples below. If the first 
cannot be readily falsified, it would be interesting to express every 
cryptosystem — as well as the known cryptanalytic attacks on it — in 
the style of this paper. If the second cannot, it might be 
appropriate to use it as a precise definition of the notions of 
confusion and diffusion. If the third cannot, it might be a 
jumping-off point for a mathematical exploration of mixing. 

The approach of this paper can suggest new cryptosystems. It 
describes finite cryptosystems and infinite cryptosystems (such as 
analog speech scramblers) with equal facility. It organizes and 
simplifies the current variety of descriptions of cryptosystems. It 
is purely formal and has no place for mechanical or electrical 
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notions, such as lug, pin, rotor, box, etc. It can, however, describe 
the workings of crypto boxes which use such devices. 

2. MESSAGES, CONFUSION, DIFFUSION AND REPLACEMENT 

We define a message to be a map (i.e. function) 

m: P/E + A/L 

where P and A are groups [PA66, p. 79], E is a normal subgroup 
[PA66, p. 110] of P, and L is a normal subgroup of A. We speak of 
P/E as being the set of character positions, and of A/L as being 
the alphabet. In other symbolism, a message m is a member of the 
cardinal power [MA67, p. 15] (A/L) p / E . We use the algol arrow 
notation for exponents, and so we write instead 

m e (A/L) t P/E. 

A confusion operation s is a (binary) relation [PA66, p. 15] on 
A/L, i.e. a subset of A/L * A/L. A diffusion operation t is a 
(binary) relation on P/E. A replacement operation is a (binary) 
relation r on (A/L) + P/E. Usually a replacement operation is a 
function 

r: (A/L) t P/E + (A/L) t P/E , 

i.e. is a map which turns a message into another message. Our first 
thesis states that all known cryptosystems are families of 
cryptographic keys, and that every cryptographic key is a succession 
of confusion, diffusion and replacement operations or messages. Thus 
this paper actually moves away from the generality of the "family of 
maps" definition which dominates the literature [DE82, p. 7; DI79, 
p. 398; K081, p. 28] at present. 

For example a simple substitution cryptosystem key s is the 
simplest kind of confusion operation. It is a permutation of A/L, 
i.e. a member of the set SYM ( A/L ) consisting [K081, p. 65] of all 
permutations of A/L. To encrypt a message 

m e (A/L) + P/E 

by means of a simple substitution key 
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s e SYM(A/L) £ (A/L ) t A/L 
one forms the ordinary composite [PA66, p. 63] function 

some (A/L) t P/E 

defined by setting 

(s o m)(p) = s(m(p)) 

for every p e P/E . As an example we will consider the plaintext 

message m * SUBSTITUTION. Let us take 

P = Z, the integers under addition 
E = 12Z = {...,-12,0,12,24,36,...} 
A = Z 
L = 26Z 

Thus we can view SUBSTITUTION as a function 

m: Z/12Z + Z/26Z 
where we source-code by making the identification 

1 «■+ A 

2 *+ B 



25 <-->• Y 
26 = 0 *+ Z 



In this case we have, for example. 
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m(l) = S ( = 19, really), 
m(2) = U ( = 21) , 
m(3) = B ( = 2), 



m{ll) = O ( = 15), 
m( 12 ) = N ( = 14) . 

If s is the Caesar [K081, pp. 69-72] cipher 

s: Z/26Z + Z/26Z 

defined by setting 

s(C) = C + 2 (modulo 26) 

i.e. 

A + C 
B + D 



X + Z 
Y + A 
Z + B. 



then s o m is the message 



s o mU) = s(m(D) = s{19) = 21 = U 
s ° m(2) = s(m(2)) = s(21) = 23 = W 
s o m (3) = s(m(3)) = s(2) = 4 = D 



s o m(ll) = s(m(ll)) = s(15) = 17 = 0 
s - m(12) = s(m(12)) = s(14) = 16 = P 



in other words the plaintext message SUBSTITUTION is replaced by the 
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cryptext message UWDUVKVWVKQP under the Caesar cryptosystem key "move 
two places down the alphabet." 

To exemplify diffusion at the simplest level we use a 
transposition cipher key t on the plaintext message TRANSPOSITIONS. 
To model this we can choose to take: 

P = Z ; 

E = OZ = {0}, the small trivial subgroup; 
A = Z ; 
L = 27Z . 

Here we have chosen to identify letters, plus the blank symbol, of the 
latin alphabet with members of Z/27Z as follows: 

27 = 0 <--»• blank 

1 ++ A 

2 +* B 

25 «-* Y 

26 Z . 

Then the message 

m: Z/OZ + Z/27Z 

amounts to the function 

m: Z •* Z/27Z 

defined by setting 



m(C) 


= 0 


if 


C < 0 


m(\) 


= 0 


if 


\ > 15 


m(l) 


= T 


( = 


20, really). 


m(2) 


= R 


( = 


18) , 


m(3) 


= A 


( = 


1), 



m(13) 
m(14) 



N 



S 



( = 14) 
( = 19) 
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We can choose a transposition t which turns blocks of 7 letters 
around, i.e. we can choose t such that 

t(76 + B) = 76 + (8-0) 

for any integer 6, any positive integer 8 £ 7. To encrypt the 
plaintext message m, i.e. the 14-letter block, 

TRANSPOSITIONS 

preceded and followed by infinitely many blanks, using the 
transposition crytosystem key t we form the cryptext message m » t. 
Evidently 

(m o t )(C) = m(t(C)) = 0 
if C < 0 (for then t(C) < 0) and 

(m o t) U) = m(t(\) ) = 0 
if \ > 15 (for then t(\) > 15). But 



(m 


o 


t)(l) = 


m(t(D) 




m(7) 




0 


(m 


e 


t)(2) = 


m(t(2)) 




m(6) 




P 


(m 


o 


t)(6) = 


m(t(6) ) 




m(2) 




R 


(m 


o 


t)(7) = 


m(t(7) ) 




m(l) 




T 


(m 


o 


t)(8) = 


m(t(8) ) 




m(14) 




S 


(m 


o 


t)(9) = 


m(t(9) ) 




m(13) 




N 


(m 


o 


t)(13) = 


m(t(13)) 




m(9) 




I 


(m 


o 


t)(14) = 


m(t(14)) 




m(8) 




S 


is 


thus the 


14-letter 


block 
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OPSNARTSNOITIS 

preceded and followed by infinitely many blanks. We note, in passing, 
that the definition of t is most naturally framed in terms of the 
cosets of the subgroup 7Z of the group Z ~ P of message 
positions. We will return to this theme later. 

To sum up, our second thesis is that confusion (as Shannon 
[SH49] used the term) is applied to a message m by forming its left 
composite s » m with a relation s on its codomain [MA67, p. 4]. 
If, in particular, s is a permutation we have substitution. 
Continuing the second thesis, we assert that Shannon diffusion is 
applied to a message m by forming its right composite mot with a 
relation t on its domain [MA67, p. 4]. If, in particular, t is a 
permutation we have transposition. In either case the natural group 
operation on the structure in question may be utilized to produce the 
needed permutations (or, more generally, functions or, most generally, 
relations ) . 

So far we have treated the only two ways you can form composites 
involving a message m, on the right and on the left. There remains 
the possibility of regarding m itself as a domain point, and 
applying a function to it. This is the idea behind replacement. 
Replacement is a function r whose domain consists of messages and 
whose codomain also does. One example, though an imperfect one, of 
replacement is a code book. 

This paper will concentrate largely on finite non-Shannon 
cryptosystems , i.e. collections of keys which act on finite alphabets, 
and which are not based on the idea of many successive applications of 
confusion, diffusion and replacement. The DBS , an archetypal Shannon 
"roll the dough and fold it" [SH49] cryptosystem, will be treated in a 
later paper. 

3. MONALPHABETS AND CAESARS 

The composite q « s of two simple (i.e. monalphabetic ) 
substitution cipher keys 

q: A/L + A/L 
s: A/L ■* A/L 

is itself a simple substitution cipher key 
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q « s: A/L * A/L 

which encrypts a message 

m: P/E * A/L 

by the rule which defines 

{ q » s ) ° m : P/E -*• A/L 

by setting 

((q o s ) o ra)(p) = (q o s)(m(p)) = q(s(m(p))) 

for every P/E. The associativity, (q « s) <• m = q o (s • m), of 
function composition is what Hellman calls the closure property. It 
means that one cannot achieve greater strength through mixing when one 
merely follows one substitution by another. Since SYM(A/L) is a 
group it follows that the collection MON [A/L] of all monalphabetic 
substitution cipher keys on an alphabet A/L is a group isomorphic to 
SYM( A/L ) . The collection LCAE [A/L] of all left Caesar cipher keys 
on A/L is defined as follows. For each o e A/L define 

Ma] : A/L + A/L 

by setting 

Ma] (p) = o # p, 

where # is the group operation of A/L. To encrypt a message 
m: P/E ♦ A/L form the composite function 

Ma] » m: P/E + A/L 

defined by setting 

(Ma] o m) (P) = Ma] (m(p) ) 
= a # m(P) 

for every 0 e P/E. The collection RCAE [A/L] of right Caesar cipher 
keys is defined analogously. If A/L is abelian then 
LCAE [ A/L ] = RCAE [A/L] = CAE [A/L] , the set of all two-sided Caesar 
cipher keys on A/L. It is obvious from the proof of Cayley's theorem 
[PA66, pp. 120-121] that LCAE [A/L] (under function composition) is 
isomorphic to A/L. Similarly RCAE [A/L] is isomorphic to A/L. 

A heuristic principle suggests itself here. If there are only 
about as many keys in a simple substitution cipher as there are 
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letters in the alphabet, you may be dealing with a Caesar cipher. We 
shall, in accordance with this heuristic principle, see that the 
Pohlig-Hellman and the Rives t-Sharair-Adleman number-theoretic 
cryptosystems are very Caesar-like. 

4. POLYALPHABETS AND ONE-TIME PADS 

We now give the group-theoretic formulation of classical 
polyalphabetic ciphers. Let us again use source coding to replace the 
latin alphabet by the set {0, 1, 2, 25} c z 

A *• ♦ 1 
B -i- + 2 

Z «• + 26 = 0 

and let us agree to regard it not merely as a set [HA60, pp. 1-3], but 
as an additive [MA67, p. 71] abelian [MA67, pp. 71-77] group, 
Z/26Z = C 26 = Z 26 [MA67, pp. 129-132]. Here, as often below, we 

allow ourselves to indulge in the common abuse of language which uses 
equality (=) where isomorphism [MA67, pp. 56-57] (S) is meant. A 
polyalphabetic (n alphabets) cipher key is determined by a family 
[HA60, p. 34] 

s: Z/nZ + SYM(Z/26Z) 

of permutations [MA67, p. 72] of the "alphabet" Z/26Z. The family is 
indexed by the cosets [MA67 , p. 51] (let us agree to call them by the 
coset leader names 1, 2, n) within Z (considered as an 

additive abelian group) modulo the subgroup [MA67, p. 84] nZ. 
From the plaintext message 

m: Z ■»• Z/26Z 

and the n-alphabetic cipher key 

s: Z/nZ + SYM(Z/26Z) 

we form the cryptext message 
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according to the rule 



y: Z * 2/26Z 
y(e+\) = s^(m(e+X)) 



for every member e of the subgroup E = nZ, every coset leader name 
X e A = {1, 2, n}. There is no harm in making the identification 

A = Z/nZ 

as long as you stick to a particular set of coset leaders (i.e. a 
particular set of names of cosets). In a strict mathematical sense A 
is the range of a choice function [HA60, p. 60] 

f: Z/nZ * Z. 

Such a function f has the property that f(Q) e Q for every coset 
2=j+nZ={j+ nC: C e Z} of nZ in Z. 

To exemplify this definition in a 3-alphabet substitution case, 
take the message 

POLYALPHABET 



l .e . 



such that 



m: Z/12Z + Z/27Z 



m(l) 




16 




P 


m{2) 




15 




0 


m(3 ) 




12 




L 


m(4 ) 




25 




Y 


m(5) 




1 




A 


m(6) 




12 




L 


m(7 ) 




16 




P 


m(8) 




8 




H 


m(9 ) 




1 




A 


m(10) 




2 




B 


m(ll) 




5 




E 


m( 12 ) 




20 




T 



and take 

defined by setting 
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s: Z/3Z + SYM(Z/27Z) 



s Q (<t + 0) = a + 2 



s 1 (a+l)=o+3 



s 2 (a + 2) = a + 5 



for each a e 3Z , where we have taken 

A = Z/3Z = {0,1,2} 



Thus 



s^mCl)) = s 1 (16) = 16 + 3 = 19 = S 

s 2 (m(2)) = s 2 (15) = 15 + 5 = 20 = T 

s Q (ra(3)) = s Q (12) = 12 + 2 = 14 = N 

s, (m(4)) = s,(25) =25+3= 2=B 



s 2 tm(5)) = s 2 (l) 



= 1 + 5 = 6 



s Q (m(6)) = s Q (12) = 12 + 2 = 14 = N 
s^mm) = s 1 (16) = 16 + 3 = 19 = S 



s 2 (m(8)) = s 2 (8) 



= 8 + 5 = 13 = M 



s 0 (m(9)) = s 0 (l) = 1 + 2 = 3 



Sl (m(10)) = s 1 (2) 
s 2 (m(ll) ) = s 2 (5) 



2 + 3 = 5 = E 
5 + 5 = 10 = J 



s 0 (m(12)) = s Q (20) = 20 + 2 = 22 = V 



So the 3-alphabetic encryption of 



POLYALPHABET 



in this key s is 
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STNBFNSMCEJV . 

Suppose that n = 1. Then nZ = 1Z = Z is the large trivial 
subgroup and 

Z/nZ = Z/Z = {0} = 0Z 

(up to isomorphism) . In this case the key s is a one-permutation 
family/ i.e. a monalphabetic substitution cipher key. If n = 0 then 

nZ = 0Z = {0} 

is the small trivial subgroup and 

Z/nZ = Z/OZ = Z/{0} = Z 

(up to isomorphism). In this case the key s: Z + SYM(Z/26Z) is an 
infinite family of permutations of the "alphabet" Z/26Z, one for each 
plaintext message letter. This is a one-time substitution (somewhat 
fancier than the classical bitwise one-time pad [K081 , p. 135] which 
uses Z/2Z rather than Z/26Z as its alphabet). 

Evidently the underlying structure which embraces monalphabets 
(including Caesars), polyalphabets , and one-time pads is 

m: P + A/L 

s: P/E ■+ SYM ( A/L ) 

y: P + A/L 

where P is a group with normal [MA67, p. 106] subgroup E, where A 
is a group with normal subgroup L, where SYM ( A/L ) is the set (it 
is in an obvious and natural sense a group, of course) of permutations 
of A/L, where m: P + A/L is an arbitrary message, where # is the 
group operation in P, and where 

y(e # X) = s x ( m(e # X) ) 

for every e e E, every coset [MA67, pp. 101-103] leader X e A = P/E 
(equality being used where isomorphism is meant). Such a structure is 
called a (polyalphabetic) substitution cipher key. You can use right 
cosets instead of left cosets, with the obvious changes. Most 
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classical cryptosystems are based on additive [MA67 , p. 71] abelian 
groups, so cosets are two-sided. 

The composite of two substitution cipher keys 

s: P/E + SYM( A/L) ■ 
s": P/E + SYM(A/L) 

is a substitution cipher key. 

u: P/(E n E) + SYM ( A/L ) 

In the commonest case we are dealing with residue classes 
[PA66, p. 53] of integers: 

P/E = Z/nZ. 

P/E = Z/nZ. 

We let m = i.cm( n , n ), the least common multiple [PA66, p. 44] of 
n and n and we find that 

nZ n nZ = mZ 

Thus the composite of a 12-alphabetic substitution key on the alphabet 
A/L and a 42-alphabetic substitution key on A/L (in either order) 
is an 84-alphabetic substitution key on A/L. 

The composite of a simple substitution cipher key with an 
n-alphabetic substitution cipher key is n-alphabetic. The composite 
of any substitution cipher key with a one-time pad is a one-time pad. 
The collection of all substitution cipher keys on an alphabet A/L 
forms a group. 

5. INFINITE SUBSTITUTION CIPHERS AND TORSION 

The classical Vernam/Mauborgne one-time pad using a two-member 
alphabet can be described as 

m: Z + Z/2Z 
s: Z/OZ + SYM(Z/2Z) 
y(X) = y(0+X) = s x (m(0+X)) = s x (m(X)) 
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for every X e Z. Since OZ is the inverse limit (i.e. projective 
limit [MA71, pp. 68-72], in this case the intersection [HA60, 
pp. 14-18] ) of the members of the sequence 

Z = {Z , 2Z , 3Z , . . . } 

we can say that Z = Z/OZ is a sort of limit of Z/Z, Z/2Z, Z/3Z, , 

and thus that the one time pad is not merely an «° alphabetic 
substitution cipher. It is also a limit of polyalphabetic 
substitution ciphers. It is torsion-free (i.e. lacking in nonzero 
elements of finite order [MA67, p. 81]). But it is not the only limit 
of polyalphabetic ciphers. Evidently for every nonzero rational 
number q, the group Q/qZ amounts (up to isomorphism) to Q/Z, the 
rationals [MA67, pp. 166-171] modulo 1. This group Q/qZ is the 
direct limit (i.e. inductive limit, colimit [MA71, pp. 67-68]. In 
this case, in a natural sense, the direct limit is the union [HA60, 
pp. 12-13] of the terms) of the sequence [HA60, p. 45] 

Z/Z, Z/2Z, Z/3Z, ... . 

This group is also the jumping-of f point for the cipher key based on 

m: Q + A/L 
s: O/qZ + SYM( A/L) 
y(e + X) = s x ( m(e + X) ) 

for every e e qz , every X e A (the set of coset leaders of Q/qZ). 
This is also an • alphabetic substitution cipher. But it is all 
torsion [MA67, pp. 344-348] (i.e. every element of Q/qZ is of finite 
order). It repeats its (infinitely) many permutations of its alphabet 
at intervals of q. This suggests yet another » alphabetic 
substitution cipher key based on 

m: R + A/L 
s: R/rZ + SYM ( A/L ) 
y(e + X) = s x ( m(e + X) ) 

for every e e rz, every X e A (the set of coset leaders of 
R/rZ) , where r is any nonzero real number. The structure R/rZ has 
very little torsion. Only the rational multiples of r have finite 
order. And they form a set of Lebesgue measure [R071, pp. 52-63] 
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zero. This cipher key repeats its alphabets at intervals of r. If 
these last two cipher keys (the one whose permutations of its alphabet 
are indexed by Q/qZ and the one whose permutations of its alphabet 
are indexed by R/rZ) are equally easy to break, then torsion would 
seem to have little to do with the cryptanalysis of polyalphabetic 
substitution ciphers. If not, then torsion may play a role in such 
cryptanalysis . 



6. TRANSPOSITION CIPHERS 

A natural example of how cosets arise in transposition ciphers 
can be given in terms of a transposition cipher key which turns the 
message 

HOMOMORPHISM 

into the message 

OMOHPROMMSIH. 

One way to obtain this encryption is to reverse successive four letter 
strings 

HOMO + OMOH 
MORP ■* PROM 
HISM ■+ MSIH 

This is compatible with the definitions 

m = {(1,H), (2,0), (12, M)} U { (j, blank): j £ {1, 2, 12} } 

and 

t = {(4w+l, 4w+4), (4w+2, 4w+3), (4w+3, 4w+2), (4w+4, 4w+l ) : w e Z}, 
whence 

m o t = {(1,0), (2,M), (12, H)} U {(j, blank): j t {1, 2, 12}} 

Such transposition cipher keys are clearly of the form 



y(e + \) = m( f(e + \) ) = m( e + t(X) ) 
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where f(e + X) = e + t(\) and 

t e SYM(A) = SYM(P/E) 
is arbitrary. In the case at hand 

P = Z 

E = 4Z 

P/E = Z/4Z = A = {1, 2, 3, 4} 

t = {(1,4), (2,3), (3,2), (4,1)}. 

7. MIXING AND "ASSOCIATIVITY" 

The designer of a cryptosystem has no reason to be grateful for 
the associative law of function composition. Suppose, for example, 
that 

q: A/L -•• A/L 
s: A/L + A/L 

are raonalphabetic substitution cipher keys and that 

t: P/E + P/E 
u: P/E + P/E 

are transposition cipher keys. Then we know from associativity that 
q» ( so (ra<> ( tou) ) ) = ( ( qos ) om) »( t»u ) = >ti = qosom°t°u • 

Such combinations of keys exhibit what Hellman calls closure. 
Repeated operations do not enhance security. Whenever, on the other 
hand, one can contrive operations such that, for example, 

q ° ((s o (m a t) ) o u) * ((q ° s) ° (m o t)) ° u 

or 

s(m(a + p)) * s(m(o)) + s(m(p)) 

the possibility of greater cryptographic strength exists. The third 
thesis of this paper is that mixing (in the Shannon [SH49] sense) 
amounts to the failure of algebraic identities (such as commutative. 
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distributive or, especially, associative laws) which would make a 
cryptanalyst ' s job easier when dealing with cryptosystems which are 
compounded of a succession of confusion, diffusion, and replacement 
operations . 

How can associativity fail? It cannot when transposition and 
monalphabetic substitution are the only operations used. But we 
also have both polyalphabetic substitution and replacement at our 
disposal . 

Consider, first, a message 

m e (A/L) t P/E , 

a simple substitution 

S e (A/L) + A/L 

and a replacement 

r: (A/L) + P/E ->■ (A/L) t P/E . 
The expression k (s » m) makes sense and, in fact, 

some (A/L) + P/E , 

whence 

r (s ° m) e (A/L) + (P/E) 

makes perfectly good sense. But what can (r(s)) ° m mean? After 
all 

s e (A/L) + (A/L) 

but the domain of r is (A/L) + P/E. So there is usually no way to 
make sense of r{s), much less (r(s)) o m. Consequently we conclude 
that an equality such as 

r(s o m) = (r(s)) » m 

is impossible (and, in fact, nonsensical) in all but very special and 
contrived circumstances. What about a comparison between r(m » t) 
and (r(m)) » t ? In this case both symbols make sense, and both 
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symbols belong to 

(A/L) + P/E • 

But are they equal? Not usually. For example let 

P = A = z , 

E = L = 2Z , 

whence 

P/E = A/L = Z/2Z . 

Let 



Then 



m = 


{(0,0), 


(1,1)} 


t = 


{(0,1) , 


(1,0)} 


r({(0,0), (1,1)}) = 


{(0,1), 


(1,1)} 


r({(0,l) , (1,0)}) = 


{(0,0) , 


(1,0)} 


m o t = 


{(0,1) , 


(1,0)} 


r(m o t) = 


{(0,0) , 


(1,0)} 


r(m) = 


{(0,1) , 


(1,1)} 


(r(m) ) o t = 


{(0,1), 


(1,1)} 



whence 

r (m o t) * ( r (m) ) « t . 

An equation such as 

r(m o t) = (r(m) ) » t 

is not, of course, a true associative law, since r(m) is the action 
of a function r on a "point" m of its domain, whereas mot is 
the composite of the function m following the function t. The 
design of DES uses all three operations, confusion, diffusion and 
replacement. And it achieves mixing by exploiting such failures of 
"associativity" in its rounds. 

"Associativity" can fail in other ways, too. We will content 
ourselves with merely mentioning one more example of failure of 
"associativity". The reader can easily verify the fact that 
polyalphabetic substitutions need not commute with transposition, even 
though monalphabetic substitution does, i.e. even though 
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s o (m o t ) = ( s o m) o t when m is a message, s is a 
monalphabetic substitution, and t is a transposition. 

8. NUMBER-THEORETIC CRYPTOSYSTEMS , MONALPHABETS AND CAESARS 

The Pohlig-Hellman [P078] conventional cryptosystem (PHC) and the 
Rivest-Shamir-Adleman [RI78] public key cryptosystem (RSA) are number- 
theoretic cryptosystems in the sense of [BL79] . PHC is the 1-prime 
case. Both the prime p and <Mp) = Mp) = p-1 must be kept 
secret. RSA is the 2-prime case. The prime p and q, as well as 
the totient 4>(pq) = (p-D(q-l) and the universal [LE56, Vol. 1, pp. 
53-56] exponent Mpq) must be kept secret. Both cryptosystems are 
monalphabetic substitutions with large Caesar subsystems. 

To make this statement precise we sketch the definition of a 
general number-theoretic cryptosystem. So let 

w = Hp 

be a (square-free) product of odd primes p belonging to a (secret) 
set P of primes. Since P is secret, the universal exponent 
X(w) is secret. Mw) is, by definition, the least common multiple 
of the members of the set A = {p-1: p e P} . 

For a given modulus w = np there are +(X(w)) encode/decode 
pairs (c,d) of positive integers less than X(w) such that 

cd = 1 (mod \(w) ) . 

Encoding is the process 

x •* xtc mod w 

Decoding is 

y ■*• y + d mod w. 

Any key (c,d) in this cryptosystem thus amounts to an 
encryption process which is a permutation of Z/wZ. Number-theoretic 
cryptosystems are thus monalphabetic substitutions on the alphabet 



A/L = Z/wZ 
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Since there are so few keys (c,d) corresponding to a given modulus 
w (i.e. to an alphabet A/L = Z/wZ) one might suspect the existence 
of a Caesar cipher, perhaps on a subset of this alphabet. And one 
does exist. There are elements y e Z/wZ with (multiplicative) order 
X(w). Let y be one of them and let r £ Z/wZ be the set 

r = (y, y + 2, y + 3, y + Mw) = 1} 

of powers of y. Evidently r is a rather large subset of Z/wZ, 
since \(w)/w is fairly close to 1 if w is the product of just a 
few primes p such that p-1 does not have many small factors. The 
encryption process x -»■ x+c effects a permutation of the members of 
any such r, since c is relatively prime to X(w). Encryption on r 
is the mapping 

Y+a ♦ (Y+a)tc = y+(a*c) . 

where the asterisk denotes multiplication modulo \(w). Thus the 
encryption process, restricted to r, is determined by the Caesar 
cipher mapping 

a ■+■ a*c . 

But to exploit our knowledge of the existence of very large Caesar 
subsystems of an RSA public key cryptosystem [RI78] or a 
Pohlig-Hellman conventional cryptosystem [P078] we appear to 
have to find some appropriate y, as well as its corresponding set r, 
and be able to solve a corresponding discrete logarithm problem. 

Let us take an RSA example. Let w = 35. The RSA is a 
monalphabet substitution cipher on the 35 member alphabet Z/35Z. In 
this case 

\(w) = X(35) = 12 

The *(\(35)) = * ( 12 ) = 4 keys amount to the 4 encrypt/decrypt 
exponent pairs 

(c,d) = (1,1) , 

(c,d) = (5,5), 

(c,d) = (7,7) , 

(c,d) = (11,11). 

One such r is the set 
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T = {2,4,8,16,32,29,23,11,22,9,18,1} 

of all powers of y = 2. Let us note what happens when the key (5,5) 
is used. 



2*5 




(2+D + 5 = 


2+(l*5) 




2+5 




32 


4+5 




(2+2)+5 = 


2+(2*5) 




2+10 




9 


8t5 




<2+3)+5 = 


2+(3*5) 




2+3 




8 


16+5 




(2+4)+5 = 


2+ ( 4*5 ) 




2+8 




11 


32+5 




<2+5)+5 = 


2+(5*5) 




2+1 




2 


29+5 


= 


(2+6)+5 = 


2+(6*5) 




2+6 




29 


23+5 




(2+7)+5 = 


2+(7*5) 




2+11 




18 


11+5 




<2+8)+5 = 


2+(8*5) 




2+4 




16 


22+5 




<2+9)+5 = 


2+(9*5) 




2+9 




22 


9+5 




(2+10)+5 = 


2+(10*5) 




2+2 




4 


18+5 




(2 + 1D + 5 = 


2+(ll*5) 




2+7 




23 


1+5 




(2+12)+5 = 


2+(12*5) 




2+0 




1 



So more than 1/3 of this RSA is a concealed version of the 
Caesar cipher 

t * 5t modulo 12 

acting on the set 

{1,2,... ,10,11,0 = 12 = M35)} 
A different y, V pair would be 
T = 3 

r = {3,9,27,11,33,29,17,16,13,4,12,1}. 

A similar analysis can be provided for the Caesar cipher based on this 
y, V pair. 

It seems inappropriate to regard number-theoretic cryptosystems 
as weak because each of them has a huge subsystem r such that the 
cryptosystem operation on r is equivalent to a Caesar cipher key. 
We are left, rather, with a renewed respect for the much-maligned 
Caesar cipher because it can be transformed and inserted into a 
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number-theoretic cryptosystera in a natural way that, as of this 
writing, leaves it unbroken. 

9. RSA and factorization 

RSA is formulated with Z and Z/wZ as the rings which draw 
most of our notice. We therefore pay a lot of attention to the 
problem of factoring w into the product of two primes p and q in 
the ring Z of integers. But the group-theoretic approach is neutral 
as regards the ring in question. There are infinitely many 
factorizations of an RSA modulus w. Many, such as the trivial 
factorizations 

w = 2 * (w/2) 

or 

w = /3 * ( w//3 ) 

seem to hold out little promise to a cryptanalyst. 

At Crypto "83 H. C. Williams suggested a somewhat more 
disciplined — and perhaps more informative — approach to 
factorization. It might be interesting to look at factorizations in 
the integral domain Q[9] of an algebraic number [LE56, vol. 2, 
pp. 34-81] field Q(9) (Here Q is the field of rational numbers, 
and 9 is algebraic over Q). Such a factorization might [CR83] 
contain information sufficient to enable a cryptanalyst to calculate a 
large multiple k$(pq) of $(pq) = (p-D(q-l). This would be enough 
information to provide a (very large) decoding exponent. 

The question of how to search for an appropriate 9 (perhaps of 
the form 9 = /d for d e Z) and how to calculate a generalized 
Euler totient function in that Q[9] is open. But it would seem that 
those who wish to use RSA might want to satisfy themselves that it 
does not yield to attacks of the Q[9] type any more readily than to 
attacks made entirely within Z. 

10. DISCUSSION 

The motivation behind this work was to extend cryptography to 
infinite structures by analogy with recent extensions of the notion of 
threshold scheme [BL83] to infinite structures. But it seems 
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necessary to justify the naturalness of the group-theoretic 
formulation as an abstraction arising out of consideration of many 
finite, as well as a few infinite, structures. So this paper dealt 
largely with finite examples, and very simple ones, to argue for the 
ubiquity of the 

m: P/E + A/L 

structure of messages. In the analog case, to be considered 
elsewhere, P/E and A/L are more likely to be infinite groups such 
as R/OR = R, or R/2itZ (essentially the complex unit circle under 
multiplication) . 

We have given candidates for precise definitions of the rather 
intuitive notion of confusion (including substitution as a special 
case) and diffusion (including transposition). We have distinguished 
between a cryptosystem (a family of keys) and a key, i.e. a map which 
can be expressed in terms of confusion, diffusion, and replacement. 
This approach to key seems more mathematically natural than the 
old-fashioned viewpoint which regards a key as a number which, when 
entered into a crypto box, gives rise to the map this paper calls a 
key. 

We have given a precise definition of Caesar cipher more general 
than the one commonly found [K081, pp. 69-72] in the literature, and 
have shown that Caesars are not as cryptographically trivial as the 
conventional wisdom dictates. The Caesar cipher illustrates well, in 
a confusion/substitution context, what we hope to exemplify elsewhere 
regarding diffusion/transposition, namely that the natural group 
operation on the domain (resp. codomain) is often the basis of the 
diffusion operator t (resp. confusion operator s). 

The maps encountered in the keys which make up most well-known 
cryptosystems are not raorphisms. Indeed the less algebraic structure 
these maps exhibit, the more likely the cryptosystems employing them 
in keys are to be secure. This seems to suggest more reliance on 
nonabelian groups P and A both in the design of future 
cryptosystems and in the upgrading of existing cryptosystems. 
Perhaps, eventually, even more general structures (e.g. monoids, 
semigroups, etc.) might become useful in cryptosystem design. 

More complicated finite cryptosystems, such as Polybius, 
Delastelle, Playfair [KA67] and the remarkably highly structured DES, 
require a deeper and more interesting elaboration of the topics 
introduced above. After that it will be natural to turn to infinite 
structures and to cryptanalysis . We will treat such topics elsewhere. 

NSA Grant MDA-8 3-H-0002 supported this work. 
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CRYPTANALYSIS OF ADFGVX ENCIPHERMENT SYSTEMS 



Alan G. Konheim 
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Extended Abstract 



The ADFGX cryptographic system, invented by Fritz Nebel, was introduced by Germany during World 
War I on March 5, 1918. The names ADFGX and ADFGVX for the successor system refer to the use of 
only five (and later six) letters A, D, F, G, (V,) X in the ciphertext alphabet. Kahn [KAJ suggests that 
these letters were chosen because differences in Morse International symbols 



A • - D -•• 

G - - • V • • •- 

aided the prevent misidentification due to transmission noise. 



F ••■ 
X -•• 



The ADFGVX system is historically important since it combined both letter substitution and fractiona- 
tion (transposition). Although Allied cryptanalysts did not develop a general method for the solution of 
ADFGVX ciphertext, Georges Painvin of the French Military Cryptographic Bureau found solutions 
which significantly effected the military outcome in 1918. This paper proposes a new method for the 
cryptanalysis of ADFGVX-type systems. 

Let A denote an alphabet of m = M 1 "letters" which we henceforth identify with the set of integers 
Z „ - { 0, 1, . . . , m-1 }. The ADFGVX key (SUB , tt) has two components; the first, an M by M array 
SUB containing an arrangement of the letters of Z m . For example, with m = 25 



SUB = 



c 


R 


Y 


P 


T 


0 


G 


A 


H 


B 


D 


E 


F 


I 


K 


L 


M 


N 


Q 


S 


U 


V 


W 


X 


z 



The second is a transposition 



tt = wo), 41), • • ■ - 



on jV places. 



G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 339-341, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 
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The steps in an ADFGVX encipherment are as follows: 
ADFGVX(l) : Plaintext or n m-lettera 

~* = (*0 r II , • ■ • , In-l) € Z m 

is expanded into a 2n-gram of M-lettera 

~Z° = (z 0 , Z\ , ■ . . , *2ii-l) (*Si . *2i+l) = (*>,0 > ^i.l) x i,j £ Z Af 

The \ Zi \ are determined by the substitution SUB 

*i ~* (*i,0 i ^.o i € Z 

where i, 0 and !, [ are the row and columns coordinates of i, in SUB. 

ADFGVX(2) : The "expanded" plaintext? is arranged in a (possibly) "ragged" 
z-array containing r rows of TV columns and a (possible) 
(r + 1)*' "short" row of a < N columns; 



2n = WV + $ (0 < a < N) 



z 0 



ZN+l 



Z{r-1)N Z(r-l)JV+l 
z rN ■ ■ ■ ZrN+s 



ZN-\ 
Z2N-1 

ZtN-1 



ADFGVXfS) . 



The ciphertext jf = (yo, jfi, . . , y2n-i) is the concatentation 
of the columns of the z-array in the order defined by n. 



We assume the length N of the transposition ir is known, although the method will suggest a procedure 
to test a value N as a presumptive transposition length. The ciphertext 

7 = (yo , yi , ■ ■ - , y2n-i) 2n = rjv + » 

is the concatention of segments { j/ 1 ' J- of 7 which correspond to the entries in a single column of the z- 
array. We call j/* 1 ' a column vector. The cryptanalysis will follow these steps: 

Step 1 : Determine which column vectors { \ are adjacent in the z-array. 

Step 2 : Determine the relative order of the pair j/"'' j/^'' of adjacent column vectors 

t'W" or f'W" 
Step S : Recover the substitution SUB. 
Step 4 - Recover the transposition jr. 



341 



To carry out Step 1, we detect the "dependence" between the marginal "letter counts" , and 
Njy) for a pair of column vector j/* 1 ' where 

1-0 i-0 

and Ni'j^ is equal to the number of solutions k = 0 , 1 , . . . of 

Uir+k = » Vjr+k = t Q<S,t<M 

Dependence will be detected by a variant of the x 2- test. 

Having identified and ordered (Step 2) adjacent column vectors]/ 0 '' , j/ 1 *'', the sum 



is the count of m-letters (s ,l)€Zj(XZif = Z, characteristic of a monalphabetic substitution. SUB 
may then be recovered by standard techniques. Having removed the effect of the substitution, the ar- 
rangement of the column vector pairs \ (j/ , J/^'*) J- to reconstitute the z-array requires the solution of 
a pure transposition system. 

The analysis requires an examination of several cases: 



Case 1 
Case 2 
Case 3 
Case 4 



N = 0 (modulo 2) 
N s 0 (modulo 2) 
N = 1 (modulo 2) 
TV = 1 (modulo 2) 



» =0 

0 < s < JV 
«=0 

0 < s < N 



Details and proofs will appear in a paper submitted to the IEEE Transactions on Information Theory. 
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ABSTRACT 



This paper presents an outline of an attack that we have used 
successfully to break iterated knapsacks. Although we do not provide 
a proof that the attack almost always works, we do provide some heur- 
istic arguments. We also give a detailed description of the examples 
we have broken . 

INTRODUCTION 

R. Merkle and M. Hellman [10] devised the first knapsack based 

cryptosystem. In this paper we will deal only with the Merkle-Hellman 

knapsack, although similar techniques will work on Graham-Shamir 

iterated knapsacks also. We will say that a set of positive integers 

ai,...,a n is an ordered Y-times iterated knapsack if there exists a 

superincreasing sequence si, — ,s n (i.e., Sj> z s-;), and integers 

j<i 

Wj, Mj , aj ;i for 1 < j < Y and 1 < i < n such that 

an,i = si for 1 < i < n , (1.1) 

* 

~ a j-l,i w j 11)0(5 M j for 1 < j < Y and 1 < i < n , (1.2) 



n 



M 



j > .1 aj-l.i 



for 



1 < j < Y 



(1.3) 




for 



1 < i < n 



(1.4) 



* This work performed at Sandia National Laboratories supported 
by the U. S. Department of Energy under Contract Number 
DE-AC04-76DP00789 . 
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We use a = b mod M to mean that a is the least nonnegative resi- 
*_ 1 

due. Let Wj = Wj mod Mj for 1 < j < Y. We will define integers 
kj,i for 1 < j < Y and 1 < i < n to be those integers satisfying 

a j,i w j ~ k j , i M j = a j-l,i for 1 < j < Y and 1 < i < n . (1.5) 

We will say that a set of positive integers aj,,...,a n is an 
unordered Y-tiraes iterated knapsack if there is some permutation of 
the ai,...,a n that is an ordered Y-times iterated knapsack. 

To cryptanalyze this system, one must solve the knapsack (or 
subset sum) problem for the integers ax,...,a n and any subset sum s. 
That is given s, one must find a 0-1 vector ( o^) such that 

n 

s = I a L*i 
i=l 

if such a 0-1 vector exists. 

In fact it is sufficient to be able to solve the knapsack problem 

for a 0-1 vector { aj_ # . . . , Hj,) which has < i n ones, because one can 

consider the subset sum s and the subset sum j a; - s. 

i=l 1 

In this paper we will describe an algorithm for breaking Y-times 
iterated knapsacks in polynomial time. We have successfully demonstra- 
ted this algorithm on examples with n = 100 and Y = 5, 10, and 20. 

The first attack on knapsack based cryptosystems was found by Adi 
Shamir [13] . He discovered an algorithm for cryptanalyzing the single 
iteration Merkle-Hellman knapsack in polynomial time. Len Adleman [1] 
found a method for breaking the single iteration Graham-Shamir knapsack 
in polynomial time. His attack used the Lenstra, Lenstra, Lovasz ( ) 
lattice basis reduction algorithm [9] , which could also be used to 
greatly speed up the attack on the Merkle-Hellman knapsack. Len Adleman 
[1] and Jeff Lagarias [7] have both developed attacks for the doubly 
iterated Merkle-Hellman knapsack. Adleman [1] also proposed an attack 
on multiply iterated knapsacks, but Brickell, Lagarias, and Odlyzko [3] 
showed that there were some problems with it. However the lattice 
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that we use in our new attack is the same as the first lattice that 
Adleman used in his attack. 

By using a different approach, E. Brickell [2] and J. Lagarias and 
A. Odlyzko [8] have developed algorithms which will cryptanalyze MH or 
-GS cryptosystems in polynomial time if the information rate is low 
enough. The information rate of a knapsack based cryptosystem is 
roughly n/log2(max ay j). It is not known exactly how low the infor- 
mation rate must be for these algorithms to work, but the information 
rate must at least be less than .645 before these methods can possibly 
be successful. Since each iteration lowers the information rate, these 
methods will break a knapsack cryptosystem if it has been iterated too 
many times. 

THE USE OF LATTICE REDUCTION 

The lattice basis reduction algorithm [9] is used in all of the 
attacks on knapsack based cryptosystems. A set of points, L, in R n is a 
lattice if there exists a set of independent vectors v^,...,v m such that 



Such a set of vectors, v^,...,v n is called a basis for the lattice. The 
E.3 algorithm finds a reduced (or short) basis for the lattice. We will 
not give a precise definition of a reduced basis. - We will only note 
that in a reduced basis, all of the basis vectors are relatively short 
in the Euclidean norm. 

Let aj,...,a n be an unordered Y-times iterated knapsack. Let m be 
an integer < n. Later we will put conditions on how small m can be. 
Let L be the m-dimens ional lattice generated by the following vectors. 



L = {zivi + ... + z n v n : z^eZ for 1 < i < m} 




^ a 2 ' a 3 ' a 4 ' • • • ' ^jh ' n ) 
(a lf 0 ,0 , . . .,0 ,0 ) 



(0 ,a lF 0 



0 ,0 ) 



b 



m 



(0 ,0 ,0 



t • 



• F 



a lr 0 ) 
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The first step in the algorithm is to find a reduced basis for L 
by using the algorithm. We now must go into a rather detailed dis- 
cussion to describe the vectors we expect to see in the reduced basis. 

Let D be the smallest integer such that 2 D > max {a^, . . . ,a n }. Then 

n n 

My, Wy, aj_,...,a n should be 0(2 U ). Since Mj > .E aj_i f i» we will assume 
that M y _ k , W y _ k , a y _ kri are 0(2 D_k lo 9 n ) . 
The norm of the vector 

ra . -a, 
w= " a l b l + I a i b i = (0,0, ...,0, — t) 
i=2 n 

is 0(2 D-1 °9 n ). If we take m > D , then w would probably be the 

log n-1 

shortest vector in L if the integers a]_,...,a n were chosen from the uni- 
form distribution on (0,2°). However, because a^,...,a n are an unordered 
Y-times iterated knapsack, there are other vectors in L that are about 
the same length as w. For this discussion we will refer to any vector 
in L with norm < 0(2 D-lo 9 n ) as a short vector. 

Adleman found that there was a short vector that was a result of 
the last iteration. From (1.5) 

ajWy - k Y , iM Y = a Y -i,i 

Divide by Mya^ 

_ k Y,i = 1_ / a Y-l,i \ 
My aj_ My \ 3£ / 

Subtract equation i from equation 1 

k Y,i _ k Y,l = 1_ f a Y-l,l _ a Y-l,i \ . 
a^ ai My \ ai a i / 

Multiply by a^a^ 

k Y,i a l " k Y,l a i = ^ (a i a Y-l,l " a l a Y-l,i> • (2 ' 1) 
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k Y,i a l " *Y,l a i = OU^ 1 ^ ") . 

In the vector 

ra 
i=2 

each coordinate is 0(2 D-lo 9 n ) . so 

|*| = o(2 D-1 °g n ) 

Lagarias [7] found a description for short vectors in L that are 
the result of many iterations. Let t be an integer with 1 < t < Y. 
By applying equation (1,5) repeatedly we get 

a i w Y'" w t " ^Y,kMyW y _ 1 ...VJ t - k Y _ 1/1 M y _ 1 W Y _ 2 ...W t - ••■ - k t/i M t = a t -l,i 
We divide by ajMyWy-jWy.^ • • * w t to 9 et 



My I Y ' L Y-1,1 MyWy-! 



*t,i 



MYWy_ 1 Wy_ 2 ...W t 



Z ' X MyWy^iWy.a 



»t-l,i 



a i M Y w Y-lWy-2--- w t 



Using the theory of simultaneous Diophantine approximation, there 
exists many sets of integers (rj p ,...,ry) such that for 1 < j < Y 

r r= 0 

or (2.2) 

r . M . 

-1 - 3 . 

ry MyWy_l . . .Wj 

Each of these vectors will give rise to a short vector in the lattice. 
For if we let 

Y 

h l = 1 k j,i r j ~ r 0 a i for 1 < i < m , (2.3) 
j=l 
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then the vector 

m 

-hb x + I hibi (2.4) 
i=2 

will be a short vector in the lattice. We will call such a vector a 

desirable vector. 

We would like to have Y desirable vectors in the reduced basis. 

Let it be a permutation on the first n integers such that a,(i),...,a,( n ) 

is an ordered Y-times iterated knapsack. We can pick any m of the 

weights a^,... r a n . If we pick these weights so that we do not pick 

a-ii(n) ' a *(n-l) ' a n(n-2) ' then we expect to get Y desirable vectors 

in the reduced basis. 

The reason that we do not want a lt ( n ), a K ( n _i), or a.g(n-2) is 

a . , 

because the Y short vectors exist because I" 1 ' 1 is small for j=l,...,Y 

"j 

and all i in the weights that we pick. But 

a 0, »(n) . 1 and a 0,*(n-2) « 1 

Hi 2 Mi 8 

and these ratios are not small enough. In the examples that we tried, 
if a,( n j , a^( n _^) , or a K (_2) were in the chosen set, then we only 
had Y-l short vectors. But if these three weights were not in the cho- 
sen set and a 7t ( n _3) was, then we still had Y short vectors. 

This condition on the way we must choose an m-set will not seri- 
ously affect the running time. The probability of picking a good 
m-set is 




Thus we expect to make about / n \ choices to get a good m-set. 

\ n-m ' 

The information that we obtain from these short vectors are the 
coefficients h^ which we can recover from (2.4). We only know h^ for 
1 < i < m, and these h^ satisfy 
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a i a i 1 n l M */ 



for 



1 < i < m 



(We haven't proven this, but it has been true in all of our examples.) 
We can define hi for i > a by 



hi = 



a l 



for ra < i < n 



where [x] is the closest integer to x. Because the hi, for 1 < i < m, 
have the special form of (2.3) and the rj have the special form of (2.2), 



a l a i 



n (m y ) 



for 



1 < i < n 



To get the full impact of the power of these vectors (h]_, 
let s be a subset sum such that 



. ,h n ) 



s = I oiai 
i=l 



where (o^,...,^) is a 0-1 vector with < i n ones. If we then define 



then 



but 



where 



So 



t = 



a l 



h l V 

— .1 °i a i 

a^ 1=1 



. i a i ~ a i 
Li=l ai 



a l 



a i = h i + H 



(2.5) 



n n 
t = I a^hi + I aiEi 
i=l i=l 
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But 

. I H H < ? • 
1 = 1 £ - 

So 

n 

t = I aihi . 
i=l 

n 

Thus we can find . E^a^hi without knowing what the are. 



THE USE OF DESIRABLE VECTORS 

In this section we will show how the short vectors in the reduced 

basis can be used to recover a superincreasing sequence of length n-Y- 

We will comment about e later, but for now, assume that e is a small 

integer. In this section we will assume that ai,...,a n is an ordered 
Y-times iterated knapsack. Suppose that we have reduced the lattice 
and we have Y desirable vectors of the form 

n 

*Jl = ~hjl,l b l + I h l,i b i 1 < X < Y 

i=2 

such that 

* 1 < * < Y 



and r . A =0 or — £i-L is a good approximation to ' 

r liY M Y W Y _ 1 ...W j 

For 1 < i < n, let 

' a^ . . . ay a^ 
h l,l ••• n l,Y n l,i 



H< = 



. hy, 1 • • • n Y , Y h Y, 



1 > 



t a\ ... ay a j, 
ki i . . . ki v ki * 
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Let 



R = 



Then 



10 0 

-r l,0 r l,l ••• r l,Y 

-r Y,0 r Y,l ••• r Y,Y 
RK i = Hi • 



The following theorem gives us a way of computing the determinant 



of Ki , 



Theorem ; 

Let a]_,...,a n be an unordered Y-times iterated knapsack. Let 
1 < j < Y. Then 



Ml 



a jrl - ' a j- j+1 
k l,l ••' *l,j+l 

k j 1 1 ... k j t j + i 



a 0,l • • • a 0, j+1 
a i,l ••• a l,j+l 

a j,l a j/j+l 



Proof ; 

The case j=l follows immediately from (2.1). We will complete the 
proof by induction. Since any permutation of a^,...,a n is an unordered 
Y-times iterated knapsack, we can apply the inductive hypothesis to any 
permutation of a^,...,a n . So we get equality in the following statement 
by expanding about the last row and seeing that the cofactors are all 
equal . 



a 0,l 
a j-lrl 



• a 0,j+l 

• a j-l, j+1 

• a j.j+l 



= Mi 



'j-l 



a j-l,l 

k j-l,l 
a j-l 



a j-l, j+1 
k l, j+1 

k j-l,j+l 
a j,j+l 
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"Ml 



M-i- 



j-1 



k l,l 

k j-l,l 
a j-l,l 



k l,j+l 

k j-l,j+l 
a j-l,j+l 



'j-l 



a 3 4 

k l,l 



k j-lrl 



aj,l w j- k j,l M j 



3 jO + l 
k l,j+l 

k j-l,j+l 



"1 



a M 

k j-l,l 
k 3.1 



a j,j+l 
k l,j+l 

k J-l,j+l 
k 3-3+l 



Once again, let us take ai,...,a n to be an ordered Y-times iterated 
knapsack. For 1 < i < n, let 




and 



a Y,l 



x L = |det(Ai)] . 




(3.1) 



For i < Y, = 0 since the last column in is identical to 
another column. However in all of the examples we have run, the 
sequence x^ has been superincreasing for i > Y + s, where e < 2. 
Furthermore, since the cryptanalyst can compute det(Hi) , he can com- 
pute the sequence cxi where c = det(R)/Mx . . .My. 

Let us give a heuristic argument for why we might expect to be 
superincreasing for i > Y + e. Expand Ai about the first row to get 



det(A i ) - »i*l tl + ••• + SyAl,Y + SiAi fY+1 



(3.2) 
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where a} ^ is the l,j cof actor of A ; . Let B^ .= be the submatrix 
1 > J 1 1 > J 




of A^ formed by deleting the first row and j th column of A^. So 



Each entry in the i tn row of Bj^j is less than M^. We expect that the 
distribution of the values of the Aj^ j to be independent of i and j 
since the distribution of the entries in b{ ^ is independent of i and j. 



But the sequence is super increasing , so there should be an e such 
that for i > Y + e, the expression for det(Ai) in (3.2) is dominated by 
the last term. 

RECOVERING THE ORDER 

In the previous section, we showed that if a cryptanalyst had an 
ordered Y-times iterated knapsack, then he could recover a superincreas- 
ing sequence. However, a cryptanalyst will usually be faced with an 
unordered Y-times iterated knapsack. So in this section we will show 
how we can apply techniques similar to those of the last section to 
find the order in an unordered Y-times iterated knapsack. 

Let ai,...,a n be an unordered Y-times iterated knapsack. Let n be 
a permutation such that a,(i),... F a,( n ) is an ordered Y-times itera- 
ted knapsack, i.e., a % ( n ) corresponds to s n , the largest element in 
the superincreasing sequence. We will present a method for finding n( i ) 
for i > Y + e, for e as described in the previous section. 

Suppose we have already found n(n),... x(n-j) for some j, 
-1 < j < n-Y-e-2. (If j = -1, we haven't found anything yet.) Let 
Ij = {1 ,n }/{*( n ),..., it( n-j )} . We will pick many ( Y+l)-subsets of 
Ij. For each subset jo»---OY — I j that we pick, we will form a 
determinant. 




aj Q . . . aj y 
hl,j 0 ••• h lfjy 




... Sj y 

• • • a l, 



Jy 



= c 



(4.1) 



n Y,j 0 ••• tl Y ,j Y 



a Y,j 0 ••• a Y,jv 
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The reason we use these determinants is essentially the same 
as the reason we gave in the last section for expecting the x.i to be 
superincreasing. When we expand the right hand matrix in (4.1) about 
the first row, we expect the distribution on the values of the cofac- 
tors to be independent of the choice of jo»>»«»jy. So the value of 
l x j n ,...,j y ! should be dominated by the largest s j in the first row. 

After picking many ( Y+l)-subsets of Ij, we will keep the subset 
jO'*--OY that gives the smallest determinant x j 0 ,...,j y - We expect 
that the set jn,---,jy does not contain any of i(n-j-l) , . . . , n(n-j- I) 
for some value of A which will depend on n, j, and Y. Thus we form 
the sequence 



Ml 



... aj^ 



h l,j! ••• h l,jy h l,i 

h Y, j! •• • h Y, jy h Y,i 

for 1 < i < n. For some small X, the sequence z ,( n - j- £+ \) , - • • • z *(n) 
should be superincreasing, and the other values of should be less than 
z^n-j-i+X) . So we should be able to identify *(n- j- i+ X) , . . . , n(n-j-l ) 
and also check to see if our choice of it(n-j ),..., n(n) was correct. 
We will set j *■ j + A-X and continue with this iterative process. We 
continue until j does not change. 

This method for recovering the order worked much better in practice 
than we expected. In our examples, we always were able to iterate 
until j was less than Y+5 . In other words we were able to find an 
e-super increasing sequence with e < 5. 

SOLVING FOR THE g . 

All of the previous analysis has used only the weights ai,...,a n . 

In this section we show how to finish the cryptanalysis . That is, given 

s find a 0-1 vector that has less than — n ones such that 

1 2 



I ai^i = s , 
i=l 
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if such a vector exists. We will assume that we have integers h j t £ 
for 1 < j < Y and 1 < i < n such that the sequence 



a l ... ay a^ 
h l,l ••• h l,Y h l,i 

h Y,l ••• h Y,Y hy,i 



is superincreasing for i > Y + e and we can find tj (from (2.5)) such 
that 



i=l 



We will find the in three steps. 

Step 1 : i > Y + e 
Let 



then 



a^ . . . ay s 
h l f l ••• h l,Y fc l 

h Y,l ••• h Y,Y fc Y 



i = l 



Since x^ is superincreasing for i > T + e , we can easily find oc^ 
for i > Y +■ e . 

Step 2: Y < i < Y + e 

To find a£ , we must solve a knapsack problem with about e weights. 
We know aj_ for i > Y + e , and x^ = 0 for i < Y, so we can find 



n n Y+ e 

f = I aiXi - I cciXi = I aiXi 

i=l i=Y+E+l i=Y+l 
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So we hope that e is small. We conjecture that e is bounded by 

Odog n) . In our examples, we always had e < 5. 

Step 3: i < Y 

Since we now know aj. for i > Y, let 



n 

s' = s - I aiai 
i=Y+l 



tj = tj - I t 1 < j < Y 

J i=Y+l J 



Let 

s = (s' , t' x , . . . ,t\ 

and 



Z = 



&l . . . a Y a Y+ i 
h l,l • • • h l,Y h l,Y+l 

Y,l • • • n Y,Y h Y,Y+l 



The problem we are left with is to find a 0-1 vector 
a = ( oi , . . . , ay+i ) r if one exists, such that 

Za = s 

If det(Z) ¥ 0, then this problem is easily solved. In all of our 
examples, we have found that det(Z) i 0 . We can speed up this opera- 
tion by computing Z - -*- mod p where p is the smallest prime such that 
det(Z) J 0 mod p. Then we are computing using integers less than p 
instead of integers of size 0(2°). 

RUNNING TIME 

The worst case running time of the algorithm is CKm^D^). How- 
ever in practice, the running time appears to be CHmD^). Also we 
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might have to make o( n \ choices of an m-set of weights before 

\ n-m / 

we get a good one. To find the order of the weights we must take 
0(n) determinants. Each determinant takes OtY 3 ) multiplications of 
integers of length D. So the running time for finding the order is 
0(nY 2 D 2 ) . So the total running time on the first part of the algor- 
ithm is 

0 m/_D_\ 3 D 3 + 0(nY 3 D 2 ) . 
Vn-m / 

The second part of the algorithm is solving for the cci's after a cypher 
is received. The running time for this part is 

0(n 2 ) + 0(2 e/ 2 ) + 0(Y 2 ) . 

TESTS OF THE ALGORITHM 

Table 1 summarizes the examples we have run to test the algorithm. 
Type - refers to Merkle-Hellman or Graham-Shamir. 
N - the number of weights. 

R - the number of random bits used in constructing the superin- 
creasing sequence. For MH knapsacks, all random bits are the 
low order bits. For GS knapsacks, half of the random bits 
are the low order bits, and the other half are the high 
order bits. 

Y - the number of iterations. 

D - the number of bits in the final (or public) weights, 
m - the number of weights used in the lattice reduction. 
Time - the running time in seconds of the L 3 algorithm on a Cray 1. 
Con - Tirae/(mD 3 ) 
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Table 1. 
Examples 



Type 

J IT 


N 


Y 


R 


D 


m 


Time 


Con 


GS 


40 


4 


14 


82 


18 


27 .6 


2 .78E-6 


MH 


40 


5 


10 


93 


28 


108 .2 


4 .80E-6 


MH 


40 


5 


20 


113 


30 


210.6 


4 .86E-6 


MH 


40 


7 


10 


105 


30 


138 .1 


3 .98E-6 


MH 


40 


10 


10 


123 


32 


250 .1 


4 .20E-6 


MH 


50 


5 


7 


97 


28 


108 .7 


4 .25E-6 


GS 


50 


5 


16 


96 


24 


92 .3 


4 .34E-6 


MH 


50 


10 


7 


127 


32 


263 .2 


4 .02E-6 


GS 


64 


5 


64 


158 


37 


653 .7 


4 .48E-6 


GS 


64 


10 


16 


140 


32 


451.8 


5.15E-6 


GS 


100 


5 


16 


151 


30 


295 .5 


2 .86E-6 


GS 


100 


10 


100 


270 


53 


3542.0 


3 .40E-6 


GS 


100 


20 


20 


260 


52 


3355.3 


3 .67E-6 



CONCLUSION 

By extrapolating from the data in Table 1, we project that an 
iterated knapsack with N = 1000 , Y = 40, and R = 100 could be broken 
in 750 hours on the Cray. Since a knapsack of this size would require 
a 1.5 Mbit key, it is doubtful that a larger knapsack would ever be 
seriously considered. 

This algorithm will also break Shamir's ultimate knapsack [14] , 
It appears that the algorithm can be modified to break the knapsack- 
that Brickell presented at Crypto' 83 and also the lexicographic knap- 
sack scheme of Petit [12] . 
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Abstract. New general properties in the S-boxes were found. Techniques and theo- 
rems are presented which allow to evaluate the non-substitution effect in / and the key- 
clustering in DES. Examples are given. Its importance related to the security of DES is 
discussed. 



1. Introduction 

The Data Encryption Standard, in short the DES, is the NBS cryptographic standard 
for the protection of commercial computer data (FIPS, 1977). Since 1981, it is also an 
ANSI standard. In the meantime, it is called DEA by ANSI (ANSI, 1980), and it is yet 
in use in many industrial applications. Recently it has been proposed to become an ISO 
(International Standard Organisation) standard under the name of DEA1 (ISO, 1983). 

There exist several reasons to explore the internal structure and the functional prop- 
erties in the DES. 

1. It can help to understand the DES. Remark that the design criteria of the DES 
are still classified (Bernhard, 1982). 

2. A better understanding of the DES can have two consequences: on the one hand, 
the detection of weaknesses can speed up a cryptanalysis attack. The detection 
of inherent strengths will on the other hand simplify the task of denning new 
standards when they will be needed. 

3. The structure can be used in order to simplify or to speed up hardware and 
software implementations. 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 359-376, 1985. 
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To achieve the proposed goals, we first survey (section 2) the technical description 
of the DES as it appeared in the NBS publication. The reader, who. knows the NBS 
description of the DES, can skip section 2. As the full description of all functions in the 
DES is very long, we refer to the literature (FIPS, 1977; Konheim, 1981; Meyer & Matyas, 
1982; Morris k al., 1977) for these functions. 

In section 3 general properties in the S-boxes and in the key scheduling will be 
combined. 

We analyze several functions in order to combine their properties. As a consequence 
this can be used to find different cleartexts for which the function / in the DES gives the 
same output. These results can also be used to analyze the key clustering in the DES. 
It means to verify if there exists different keys which gave for most cleartext the same 
cipher text. 

2. NBS description of the DES 

The DES algorithm, as described by NBS (FIPS, 1977), consists of three fundamental 
parts: enciphering computation, calculation of f{R, K) and key scheduling calculation. 
They are are briefly described below. 

First observe that several boxes are used in the DES algorithm. It would be a too long 
explanation to give the details of all these boxes; it can be found in the NBS description. 
The kind of boxes (e.g. permutation) will be mentioned. Remark that the input numbering 
starts from 0 for some boxes and from 1 for the other ones. 

In the enciphering computation, the input is first permuted by a fixed permutation 
IP from 64 bits into 64 bits. The result is split up into the 32 left bits and the 32 right 
bits, respectively L and R. Then a bitwise modulo 2 sum of the left part L and of f{R, K) 
is carried out. After this transformation, the left and right 32 bit blocks are interchanged. 
Observe that the encryption operation continues iteratively for 16 steps or rounds. In 
the last round, no interchange of the last obtained left and right parts is performed; the 
output is obtained by applying the inverse of the initial permutation IP to the result of 
the 16 th round. 

In the calculation of f{R, K) the 32 right bits are first expanded to 48 bits in the box 
E, by taking some input bits twice, others only once. Then a bitwise modulo 2 sum of the 
expanded right bits and of 48 key bits is performed. These 48 key bits are obtained in the 
key scheduling calculation, which will be explained later on. The results of the modulo 2 
sum go to the eight 5-boxes; each of these boxes has six inputs and four outputs. The 
S-boxes are nonlinear functions. The output bits of the S-boxes are permuted in the box 
P. 

Let us finally describe the key scheduling calculation. The key consists of 64 bits, of 
which 56 bits only are used. The other 8 bits are not used in the algorithm. The selection 
of the 56 bits is performed in box PCi, together with a permutation. The result is split 
into two 28 bit words C and D. To obtain the 48 key bits for each iteration, the words 
C and D are first left shifted once or twice. A selection and a permutation PC2 are then 
applied to the result. The output of PC 2 is the 48 bit key word which is used in f(R,K). 
An additional table tells the user how many shifts must be performed to obtain the next 
48 key bits of the key for the following round. The DES can be used in four modes (FIPS, 
1980; Konheim, 1981). 
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3. Propagation characteristics 

We first analyze the new properties, which we observed in the expansion phase, the 
5-boxes and the key scheduling. We combine our results with older ones (Davio, Desmedt 
& al., 1983) in order to discuss the non-substitution property in / and the key clustering 
in the DES. Let us first discuss the importance of the fact that / is not a substitution 
and of the key clustering. 

3.1. The importance of the propagation characteristics 

If / is not a substitution, for fixed key, the cardinality of the image plays an important 
role in the evaluation of the security of the DES. Indeed if the image of / contains only 
one element, the DES is completely linear. More generally, if the cardinality of the image 
of / is small the DES may be insecure. 

If there is a key clustering present in the DES, it may be possible that for many 
cleartexts the effect of modifying the key in a special way does not affect the ciphertext. 
If this is true for the DES it simplifies enormously an exhaustive attack. 

3.2. The expansion phase 

The expansion phase plays a very important role in this section. 

3.3. The S-boxes 

3.5.1. An introduction 

We observed several new properties in the 5-boxes. Most of our new properties are 
valid for all 5-boxes and are consequently called "general properties". In the following 
sections some of these properties are used in order to analyze in which measure / is not a 
substitution and to analyze the key clustering. We did not apply all general properties in 
the following sections; perhaps in the future one will be able to explain why the 5-boxes 
have these properties or to use them in some deeper analysis of the DES. 

Two kinds of properties are discussed. In the first kind we fix some input bits of the 
5-boxes (1, 2, ... , or 5 of the 6 possible bits). We are interested in what changes are 
propagated at the output and how? E.g. for the output one can wonder if the four output 
bits are always distinct if we change the non-fixed input bits, or if for some inputs the 
output is not affected. Secondly we discuss how the output changes if we complement 
some input bits of the 5-boxes. 

We number the inputs of one 5-box by abcdef as Davies did (Davies, 1981). We 
number the 5-boxes from 1 to 8 and denote them as 5,-. Remark that representations of 
the 5-boxes, other than in the NBS norm, may be useful (Davio, Desmedt & al., 1983). 

3.3.2. Properties of the 5-boxes if some input bits are fixed 

The inputs a,b,e,f of the 5-boxes play a special role in the DES. Indeed one half 
of the message input bits in each round influences two 5-boxes. These bits will go to 
the mentioned input bits. These bits will play an important role in the analysis of the 
non-substitution property of the function / in the DES. The next properties draw special 
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attention to the mentioned input bits. The following properties can however easily be 
generalized. One can easily verify them using a computer program. 

We number the properties by a double numbering technique, such that it is easy to 
refer to them. 

1. The observed properties hold for all S-boxes. We analyze if the output of an S- 
box can or cannot change if one modifies the inputs of an S-box in the following 
way: 

(a) fix the inputs e and /, 

(b) one is allowed to change c and d to an arbitrary value c' and d', 

(c) one changes the inputs a and b as described in the properties, 

1.1. -.(Ve, d, c', d', e, f : S,(0, 0, c, d, e, f) ? S<(1, 0, c', d', e, /)), 

1.2. -(Vc, d, c', d', e, f : 5,(0, 1, c, d, e, /) # 5,(1, 1, c\ d', e, /)), 

1.3. V C ,d,c',d',e,f: $(0, 1, c, d, e, /) ^ S,-(1,0, c', d', e, /), 

1.4. Vc,d,c',d',e,f: 5^(0,0, c,d,e,f) ? Si{l,l,c' ,d' ,e, f). 

Remark: One can wonder why e.g. S,-(0,0, c, i, e, /) was not compared with 
5,(0, 1, c', d' , e, /). This property is already known. Indeed it is known (Konheim, 
1981) that each row (see NBS notation) of each S-box is a permutation. In other 
words Si(a,b,c,d,e, f) Si(a,b',e',d',e', f) independent of b,e,d, e, b',e',d',e'. 
The properties described here are in fact a generalization of it. 

2. The observed properties hold for all S-boxes, except property 2.4. We analyze 
if the output of an S-box can or cannot change if one modifies the inputs of an 
S-box in the following way: 

(a) fix the inputs a and b, 

(b) one is allowed to change c and d to an arbitrary value c' and d' , 

(c) one changes the inputs e and / as described in the properties, 

2.1. -i(Vo,6,c,(f,c',rf' : S,-(a,6,c,<i,0,0) ^ S,-(a, b, e' , d', 0, 1)), 

2.2. -(Va, b, c, d, c', d' : S,-(a, b, c, d, 1,0) # Si(a, b, c' ', d', 1, 1)), 

2.3. ^{Va,b,c,d,c',d' : S,-(a, b, c, d, 0, 1) ^ S,-(a,6, e', d', 1,0)), 

2.4. If t j= 4 then: 

-,(Va, b, c, d 7 c', d' : Si{a, b, c, d, 0, 0) * S,(a, b, c', d', 1, 1)). 
If t = 4 then: 

Va, b, c, d, c', d! : Si{a, b, c, d, 0, 0) # S f (a, b, c\ d\ 1, 1). 

Remark: The properties 1.3 and 1.4 change if one also allows that the input e changes 
to the input e'. Then it will be possible to find identical outputs for special inputs. A 
similar remark is true for property 2.4 (i = 4) if one allows that the input 6 changes. 

5.S.S. Complementation properties of the S-boxes 

A well known (Hellman & al., 1976) property for the S-boxes is that if one com- 
plements one input of an S-box at least two output bits will change. We analyze the 
effect of complementing two input bits, while leaving the other ones unchanged. It is 
evident that one can easily generalize our properties for the case that 3 or more bits are 
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Table 1: shows for how many out of 32 inputs a complementation of two bits of the input 
of an S-box has no effect. 

complemented. The first aim was to observe whether it is possible to maintain a constant 
output if only two bits are complemented. First observe that in order to maintain a fixed 
output one has to complement bit o or /, otherwise we conflict with the permutation 
property of the "rows" in the S-boxes. For special abcdef inputs the output of an S-box 
remains unchanged if one complements two of the input bits. We give now the results of 
our research in table 1. 

It is remarkable for each S-box that if only ab is complemented, the output changes. 
This is however very easy to prove starting from our properties 1.3 and 1.4 of the previous 
section. 

3.4. The key scheduling 

In our analysis of the key clustering we used in detail the key scheduling in the DES. 
The ideas of Neutjens about the key scheduling in the DES were very useful in this context 
(Neutjens, 1983). We now survey them and explain them systematically. We number the 
56 key bits from 1 to 64 as in the NBS description (FIPS, 1977). 

First of all remark that after PCi one can split up the key scheduling in the DES 
completely in two parts. PC2 does not affect this decomposition (Davio, Desmedt & al., 
1983). As a consequence of this decomposition, one can separate for one round in the 
DES the selection of the key bits which will influence the first four S-boxes and the last 
four S-boxes. Let us now construct the equivalent scheme. All used notations, e.g. the 
registers C and D, originate from the NBS representation of the DES. 

We represent the register content of C by (ci, c 2 , . . . , c 28 ) and that of D by (c^, 
<£ 2 , - - - , d 2 $). Mostly in the key scheduling the registers C and D are shifted twice to 
obtain the Ki of the 1 th round, e.g. (t^, c 2 , c 3 , . . . , c 2 $) is transformed into (03,04, es, ... , 
c 2 ). This can now be reformulated for the C register as one shift on the following two 
registers (ex,c$,e^, . . . , C27) and (c 2 , C4, c«, . . . , c 2 g). We call them respectively the odd and 
the even registers. One can then realize the key scheduling with 4 registers instead of 
two, which shift only once when in the NBS representation the registers shift twice. This 
reorganization affects the PCi. 

One has now still to discuss what happens if only one shift is performed on C and D 
as in the iterations 1, 2, 9 and 16 using our equivalent representation. The first shift in the 
first iteration can be realized together with PC\, In the other situations we interchange 
the content of the odd and the even registers, by performing first a shift on the old content 
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Figure 1: An equivalent key scheduling. 
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of the odd register and no shift on that of the even register. We then change also the name 
of each register: odd becomes even, even becomes odd. Indeed (ci, cs, 05, . . . , C27), (c 2 , c*,- 
««,---> C2s) is then changed into (c 2 , c 4 , c 6 , . . . , c 28 ), (03, C5, c 7 , . . . , ci). One can verify that 
previous operations are identical to one shift in the NBS notation. 

The register I? can be treated in a similar way. Remark that it is more difficult to 
perform one shift in the NBS representation. However we are able to see better which 
bits of the key affect a particular 5-box. We now represent this result in tables 2—5 and 
fig. 1, where X means that this key bit is not selected by PC 2 . 

Let us now apply all the described properties. 

3.5. The function / is not one-to-one for fixed K 

Let us remember here that the function / consists of the expansion box E, of the 
EXOR-ing with the key bits, of the 5-boxes and of the permutation P. It has sometimes 
been wondered whether the / function is by itself a substitution. The answer to that 
question is negative {Davio, Desmedt & al., 1983; Konheim, 1981). A more systematic 
discussion is given in this section. 

We will now use the properties described in section 3.3.2. to demonstrate how they 
can be used in the analysis of the non-substitution of the function /. Evidently we 
assume that the key K is fixed. We analyze which bits of the message part R (see NBS 
notation) one must change in order to maintain the same output of the function /. We 
will progressively increase the number of changed bits. First we only change the inputs (or 
message part of the input) of one, two and then three 5-boxes and generalize afterwards. 
We will mostly use the new as well as the well known (Hellman k al., 1976; Konheim, 
1981) general properties of the 5-boxes, together with the structure of E (Davio, Desmedt 
& al., 1983). 

Theorem 1 : If for fixed key, one only changes the input of one 5-box the output of 
the function / will change. 

Proof : In order not to affect the inputs of the other 5-boxes one can only change 
the inputs c and d. However if the inputs a and / are not changed an 5-box forms a 
substitution. 



Theorem 2 : If for fixed key, one changes only the input of two neighbourhood 5-boxes 
the output of the function / will change. 

Proof : Let us call the two affected 5-boxes, 5,- and 5,-+i and let us define 59 as 
being 5i (this again shows that it can be more interesting to start the numbering from 
0, see (Davio, Desmedt &c al., 1983)). In order not to affect the input of 5,_i the inputs 
a and b of 5,- may not change and similarly for the inputs e and / of 5,-+i in order not 
to affect the inputs of 5, +2 . In order not to conflict with the permutation properties of 
the "rows" of the 5-boxes and using the previous remark, at least the input / in Si must 
be complemented in order to maintain a fixed output. A similar remark is true for the 
input a of 5,-4.1 . As consequence of the expansion box E a complementation of the input 
e (respectively /) of 5,- is equal to a complementation of the input of o (respectively b) 
of 5,-4-j. So in order to produce a same output we have at least to complement a and 6 in 
5,+i- Remark that the inputs c and d in 5, +1 do not influence the proof. In other words 
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Table 2: The effect of the selection of the key bits (1-64) by PCi and PC 2 . The first row 
of the table indicates to which input of the S boxes the key bits go. (Neutjens, 1983) 
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Table 3: Similar as table 2. (Neutjens, 1983) 
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Table 4: Similar as table 2. (Neutjens, 1983) 
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Table 5: Similar as table 2. (Neutjens, 1983) 
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even if one additionally changes the inputs e and d in 5,- +1 or does not, the output of 5,- + i 
will change, by virtue of property 1.3 and 1.4 of the 5-boxes. 

■ 

Theorem S: Assume that for fixed key one changes only the input of three neighbouring 
5-boxes, the output of the function / will for some inputs remain identical only if at least 
all of the following conditions are satisfied together: 

1. one complements the inputs a, b and e of the middle of the three 5-boxes, 

2. one complements the input c or d of the last 5-box, 

3. one does not complement the input / of the middle of the three 5-boxes. 

Proof : We call the three 5-boxes 5,_i, 5,- and 5,- +1 where So is equal to 5g and 5g 
equals S\. The proof is for a large part similar to that of theorem 2. Let us first give the 
similar part of the proof. 

We must fix the inputs a and b of 5,-x, and e and / of 5,+x. The input / of 5,_i must 
be complemented and similarly for the input a of 5,-+i. This last condition is equivalent to 
say that the inputs b and e of 5," must be complemented. Now we apply the consequences 
of theorem 2 to continue our proof. 

If a and b are both complemented in 5<+ x , the output will change (see proof of theorem 
2 or properties 1.3 and 1.4 of the 5-boxes). Using previous observations the input b in 
Si+i may not be complemented, or equivalently the input / in 5,-. At this moment we 
already know that for 5,- the inputs 6 and e must be complemented and / may not. 
Because each row in the 5-boxes is a permutation and because the input / may not be 
complemented in 5,-, the input o must be complemented in 5,-. Remark that in fact one 
must still complement input c or d in 5j + j. Indeed if only one input bit in an 5-box is 
complemented, the output changes. 



We have now proven the theorem. It is now very easy to generate in a systematic 
way several examples for which the function / remains constant even if some bits are 
complemented. 

3.6. The key clustering 

We analyze the clustering from the point of view that the DES contains j rounds, 
where j is between 1 and 16. The input for these j rounds is fixed, while we complement 
or change some bits of the' key. So if we speak now about an input of an 5-box, this input 
is related to a modification of the key. 

We first prove some general theorems for the key clustering, and afterwards we give 
some examples. 

3.6.1. A general approach 

First of all for a fixed input the permutation IP has no influence on the key clustering. 
We can start the analysis from L, and R,. This means that if we are interested in a 
complete DES analysis s = 0 and / = 16. Let us now apply the DES with the key K and 
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K' and call the subkeys Ki till if 16 and K[ till K[ a . The key K will produce some L and R 
register content, while K' produces L' and R'. The effect of the first of the j rounds is that 
in the case we use the key K we have £ f+1 = R, and R, +1 = L, © f(R,,K,+i). Applying 
the key if we obtain L' t+l = R, and R 1 , +l = L, © /(i2,,2T, +1 ). After t rounds we obtain 
using key K the register content L, +t = and R, +t = © /(i2„ + t-i, K, +t )- 

Using the key we have: L',+ t — and R, +t = L'.+j.! © f(R', +t ^i, K', +t ). Remark 

that in general by changing the key the content of the registers L and R change too. Let 
us now call H,+t = f{R,+t-i , K,+t) © f{R', + t-i> K*, +t ). It is now easy to see using (Davio, 
Desmedt & al., 1983) that the global effect of a change in the key has no final effect on 
the ciphertext if the two following conditions are satisfied together. 

1. if,+i © -2«+3 © -S«+5 © • • • © -fft = 0, where t = a + j if j is odd, else t — a + j — 1. 

2. iT,+2 © -H»+4 © -H.+6 © • • • © -Hu =0, where u = a + ; if j is even, else « = s + j — 1. 
Using previous conditions it is now easy to analyze the conditions necessary for key 

clustering if one analyzes only 1, 2,3 or 4 rounds. The analyze of more rounds seems to 
be more difficult. 

3.6.2. An analysis of the key clustering in a DES with 1, 2, 3 or 4 rounds 

In the case one round is considered we must have E, + i = 0. This means f(R,,K,+i) = 
f{R t ,K' t ^. 1 ). Using previous knowledge on the 5-boxes this means that the input of an 
5-box is not changed or that at least two bits change. It is very easy to generate several 
examples for this case. Using the fact that E is an expansion of 32 bits to 48 bits and its 
structure (Davio, Desmedt & al., 1983) and because PC 2 selects only 48 bits out of the 
56 bits of the key we have the following result. For each (cleartext, ciphertext) pair in a 
one round DES there exist exactly 2 24 keys which generate the same ( cleartext, ciphertext) 
pair starting from a fixed cleartext. If a similar remark remains true for the complete DES 
algorithm (16 rounds), the DES is very easy to break using a simplified exhaustive attack. 
Let us therefore start to analyze more rounds. 

In the case two rounds are considered we must have H,+i = 0 and H,+2 = 0. This 
means f(R,,K,+ x ) = f{R,, as m previous case, and additionally f(R )+ i,K t+ 2) = 

/(#,+!, K 1 ,^), because from the first equality we have fEi + i = R t +i- Remark that the 
S-boxes must satisfy similar conditions as in the case only one round was considered. 
However to satisfy it for the two rounds together we must take the key scheduling in the 
DES into consideration. This is now easy to do if one uses the tables explained earlier. 
We now give a simple example of it. 

Example 1. If one complements the bits 3 and 44 (in the NBS notation) of any 64 bit 
key, then there exists 6 • 2 59 pairs of (cleartext, ciphertext) which remain identical during 
round 1 and 2 in the DES. In other words, about 1/5 of all pairs (cleartext, ciphertext) 
are not affected by the complementation of 2 bits of the key, during round 1 and 2. 

Let us now explain using fig. 2 what happens and how one can calculate the (cleartext, 
ciphertext) pairs. The bits 3 and 44 go both after the key scheduling in the first round to 
53 and become there the inputs a and e. Using table 1 we know that for 6 out of 32 (or 12 
out of 64) possible inputs a complementation of a and e in 53 does not change the output. 
This means that the possible inputs for which the above property is true are restricted 
from 2 64 to 6-2 59 . The cardinality of the set of cleartexts for which the explained clustering 
is satisfied is independent of the used key. However the set of cleartexts for which the above 
clustering is satisfied, changes if other keys are considered. This is a consequence of the 
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z 

Figure 2: Example 1 on the key clustering in a two round DES. 
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input 53 


output Si 


abcdef 




000100 


1001 


100110 


idem 


000101 


0000 


100111 


idem 


010000 


0001 


110010 


idem 


010100 


1100 


110110 


idem 


010111 


1110 


110101 


idem 


011011 


1011 


111001 


idem 



Table 6: Inputs (in binary form) for S3 which generate the same output if the bits a and 
e are complemented. 

exor of the subkey with the expanded R register in the function /. Let us now analyze 
which input for the S -boxes we must force in order to satisfy the key clustering. The input 
for 53, in the first round, must be one of those collected in table 6, in order to satisfy the 
key clustering. Now we must still analyze which restrictions the second round imposes on 
the possible cleartext. The analysis in this example is straightforward because the key 
bits 3 and 44 are not selected in the second round, so no extra condition is necessary. 

One may observe that we were lucky in the construction of the previous example. 
First the non-selection of the key bits in the second iteration seems to be lucky. Secondly 
example 1 is only valid for rounds 1 and 2 in the DES. In the following example the reader 
can observe that similar examples can be given for all rounds and that it is not necessary 
that some key bits are not selected in the second or first round. 

Example 2. This example is true for most consecutive rounds. As a consequence of 
the ideas of Neutjens on the key scheduling (see section 3.4), two consecutive rounds can 
mostly be analyzed systematically. (Neutjens, 1983). This is true if one uses two shifts in 
the key scheduling, as represented by the NBS, to move to the next round. This means 
the rounds 2-3, 3-4, 4-5, 5-6, 6-7, 7-8, 9-10, 10-11, 11-12, 12-13, 13-14 and 14-15. In 
order not to affect the generality we will use a more general descriptions of the property. 
If one complements the two bits of the key which will "arrive" in S-box 4 at locations a 
and e during the first of the two above rounds, then for every key there exists 24 • 2 54 (or 
about 1/43 of all possible) pairs (cleartext, ciphertext) which remain identical during two 
consecutive rounds mentioned earlier. This can be easily analyzed (similar as in example 
1) using tables 2-5, and using our properties of the S -boxes (table 1). 

Let us now consider three consecutive rounds. First more restrictions on the cleartext 
are then imposed in order not to affect the ciphertext if one modifies the key. This is a 
consequence of the key scheduling. However the output of the function / in the first find 
last (of the three) rounds must no longer be constant (see section 3.6.1). This relaxes the 
imposed restrictions. Let us give a short example to illustrate it. 

Example 3. The three consecutive rounds may be 2-3-4, 3-4-5, 4-5-6, 5-6-7, 6-7-8, 
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9-10-11, 10-11-12, 11-12-13, 12-13-14 and 13-14-15. Hereto one complements (e.g.) 
three bits of the key (fig. 3). In our example the three key bits must "arrive" at location o 
and d in 5-box 8 in the first round (of the three consecutive) and at location d in 5-box 
4 in the second round (of the three consecutive). We call these three key bits respectively 
k\, ki and k$. By analyzing the box P (see (Davies, 1981)) and using section 3.6.1 two 
cases can be distinguished. 

1. The third output bit of 5s is complemented in the first and third iteration (of the 
three consecutive) as a consequence of the previous modification of the key. In 
other words bit 15 of the output of / (after the box P) must be complemented 
in the first and last round. The modification of the previous bit will have no 
influence at all in the second round of the three. Indeed after the expansion phase 
it is exored with key bit fc 3 which we complemented too. Remark first that the 
set of cleartexts for which the above clustering is satisfied changes if other keys 
are considered. This is a consequence of the exor of the subkey with the expand 
R register in the function /. Let us now analyze which input we must force at the 
input of the 5 -boxes, in the three rounds, in order to satisfy the above conditions. 
Remember from Fig. 2 that the input of the S-boxes is equal to the subkey 
exor the expanded R register. In the first round key bits ki and ki influence 
respectively the input a and d in 5g, as a consequence of our choice. k$ is not 
selected. The input of 5s must be chosen from table 7. In the second round (of 
the three consecutive) we yet discussed the influence of key bit A3. Using table 2-5 
we find that k\ and ki become now the input a and e respectively in 57. The 
input of 57 must be chosen from table 8. In the third round k\ and k% influence 
respectively the inputs b and / from 5g. The input of 5s must be chosen from 
table 9. 

2. The second and third output bits of 5$ are complemented in the first and third 
round as a consequence of the previous modification of the key. We must then 
choose the inputs of S$ in the first round out of table 10, the inputs of 57 in the 
second round out of table 11 and the input of 5s in the third round out of table 12. 
This can be analyzed in a similar way as for the first case. 

We can then analyze that for 50% of the keys: For 21 on 16384 (about 1/780) cleartexts, 
the ciphertext is not modified. For the other 50% of the keys this happens for 1 on 2048 
cleartexts. This analysis is involved. The reader can check it using tables 7-12. He must 
then take into consideration that the tables impose conditions on the cleartext input of 
the three rounds. Using fig. 3 he can then easily prove that the first round imposes some 
conditions on the right input of the cleartext. Similarly the second round imposes some 
conditions on the cleartext at the left side input of the three rounds. To analyze the 
restrictions on the input as a consequence of the third round the reader must use the 
property that each round is a substitution from 2 84 to 2 64 elements (Davio, Desmedt & 
al., 1983) for fixed key. Care should be taken in performing this last step. It is possible 
that previously imposed conditions influence the new one. Indeed by imposing special 
conditions on the cleartext, some restrictions can exist on the output of / in previous 
rounds. 

Other examples can easily be generated. It would be interesting to generalize the 
previous examples to the complete DES with 16 rounds. 




Figure 3: The key clustering in a three round DES. 
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input 5g 


output S& 


abcdef 




001001 


1010 


101101 


1000 


001100 


1011 


101000 


1001 



Table 7: Inputs (in binary form) for Ss which generate outputs in which the third output 
bit is complemented if the bits o and d of the input are complemented. 



input 57 


output S7 


abcdef 




000000 


0100 


100010 


idem 


001001 


0100 


101011 


idem 


001111 


1010 


101101 


idem 


011000 


0101 


111010 


idem 


011001 


0010 


111011 


idem 



Table 8: Inputs (in biliary form) for Sj which generate the same output if the bits a and 
e are complemented. 



input Ss 


output 5g 


abcdef 




001100 


1011 


011101 


1001 


110000 


0000 


100001 


0010 



Table 9: Inputs (in binary form) for Ss which generate outputs in which the third output 
bit is complemented if the bits b and / of the input are complemented. 
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input 5g 
abedef 


output 5g 


011001 
111101 


0000 
0110 



Table 10: Inputs (in binary form) for S$ which generate outputs in which the second and 
third output bit is complemented if the bits a and d of the input are complemented. 



input 57 


output S7 


abede f 




000010 


1011 


100100 


idem 


000101 


1011 


100011 


idem 


010101 


0101 


110011 


idem 



Table 11: Inputs (in binary form) for 57 which generate the same output if the bits a, d 
and e are complemented. 



input 58 


output 5g 


abedef 




001000 


0110 


011001 


0000 


000011 


1111 


010010 


1001 


000111 


1000 


010110 


1110 



Table 12: Inputs (in binary form) for S& which generate outputs in which the second and 
third output bits are complemented if the bits b and / of the input are complemented. 
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4. Conclusions and perspectives 

A cryptographic system can only be considered secure if a small modification in 
the cleartext and/or in the key strongly affect on a non-linear way the ciphertext. We 
described techniques for analyzing this constraint for the DES. We found that if the DES 
had only a few rounds it would be a weak system. Our analysis demonstrated at the same 
time that the known probabilistic test done on the DES are insufficient to conclude that 
the scheme is secure. Were it possible to work out on a 16-round DES the techniques 
presented here one could possibly prove the so often alleged existence of a key clustering 
in the DES. 
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DES HAS NO PER ROUND LINEAR FACTORS 



J. A. Reeds and J. L. Manferdelli 
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ABSTRACT 

Interest in the cryptanalysis of the National Bureau of Standards' Data Encryption 
Standard (DES) has been strong since its announcement. Here we describe an attack on a class 
of ciphers like DES based on linear factors. 

If DES had any non trivial factors, these factors would provide an easier attack than one 
based on complete enumeration. Basically, a factor of order n reduces the cost of a solution 
from 2 56 to 2 n +2 S6 ~". At worst (h-1 or 55), this reduces the cost of a Diffie-Hellman search 
machine from 20 million dollars to 10 million dollars: a 10 million dollar savings. At best 
(/:— 28), even without iteration, the method could reduce the cost from 2 56 to 2 28 + 2 28 : a 
computation well within the reach of a personal computer. 

Alas, DES has no such linear factors. 



INTRODUCTION 

The basic idea here is an elaboration of a trivial idea, too good to be true. If, for each 
distinct value of the key, DES mapped the plaintext blocks into the ciphertext blocks linearly, 
one could deduce the matrix of that linear transformation from a small number of corresponding 
plaintext/ciphertext blocks. Similarly, if the dependence of the ciphertext on the key was linear, 
one could solve for the key. Unfortunately, the S boxes introduce strong nonlinearities: each bit 
output from each S box can only be represented by polynomials (in 6 variables) over GF(2) with 
many terms (for a discussion of these representations and their connection to coding theory see 
12], chapters 2,13,14). 

The current elaboration is that there might be three special linear functions of the 
plaintext, ciphertext and the key respectively such that the mapped ciphertext depends only on 
the mapped plaintext and mapped key. If the mapped key has lower dimensionality than the 
unmapped key, one can attempt to solve the mapped cryptosystem (possibly by brute force 
search) . 
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This mapping behavior is called cryptosystem factorization. In general, a cryptosystem 
consists of a plaintext space, a key space, a ciphertext space, and a family of invertible maps 
indexed by the key space. We say that cryptosystem A is a factor of cryptosystem B if there are 
maps (called factor maps ) between the plaintext, key, and ciphertext spaces such that the 
enciphering and deciphering actions of cryptosystem A can be recovered from those of 
cryptosystem B using the factor maps. If the factor mappings are linear functions we say A is a 
linear factor of B. If the key space of A is smaller than that of B one can profitably break B by 
first breaking A. 

There is no special reason to suppose that the DES has any factors, linear or not. But if 
it had they probably would have the same general round-by-round flavor that DES itself has. 
This paper shows that the individual round of DES has no linear factors. 



DES NOTATION 

DES is a product cipher. The key dependent transformation that DES induces on the 
plaintext is a product of a family of (involutory) transformations n and X ( . If L and R are the 
two 32 bit subwords of a 64 bit input, we have* 

H-.LR \—^RL 

and 

\ :LR \—~L(R+f(E(L)+ki)) 

Using these conventions, 

DES(K,P) - /P~'X 16 nX 15> i ■ • • XjiAJPiLR) 

and, 

des~Hk,p) - ip-%n\ 2 ■ ■ ■ x 15/1 x 16 /pa«). 



* The sign "+" in this paper denotes addition. Here, we do addition in at least three different rings: the ordinary 
integers [1 + 1-2], GF(2) [l + l-Ol, and vector spaces over GFU) [(1,0,1, l)+(l,l,0,l)-(0,l,l,0) 1. To 
emphasize that we are interested in the arithmetical properties of the "+" operator, we use + in all three cases. 
We rely on the reader to distinguish which ring (and hence which operator) is being used in any given equation. 
In the second displayed equation, for example, the first plus denotes addition done in the vector space of 
dimension 32 over GF(2); the second plus refers to arithmetic done in the vector space of dimension 48 over 
GF(2). Readers who are not familiar with DES will see in a few paragraphs why the rings in the second 
equation are what we say they are. 
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The transformation IP consists of a permutation of the input bits; it has no cryptographic 
significance and need not be mentioned any further. E, P and the S boxes S x S s are defined 
in [1] and will be discussed in more detail below. k t (i— 1,2,3,— ,16) is a 48 bit subkey for round 
i derived from a 56 bit key k according to a key schedule described in [1]. We refer to the 
composed map <r, — pX f as a "round" of DES. Note that DES is composed of 16 encrypting 
rounds with the switch of the 32 bit subwords suppressed in the final round. 

Denoting the vector space of dimension n over GF(2) by K„, we have: 

P- r 32 — »k 32 

/: F 48 — >V n 

E is the expansion matrix which takes x — (x h . . . ,x 32 ) to (xe(0- . . . .*£(4g))- The function/ 
is obtained by applying successive S boxes to the successive six bits of the argument and then 
applying the permutation matrix P to the resultant vector, i.e.: 

y - (£,(*, ,x 6 ) S 8 (x 43 x 4S )) 

fix) - (ypw ypo 2) ) 

E and P are linear functions, / is not. Writing this in tabular form, we get 



Two rounds of DES 


round 


left 32 bits 


right 32 bits 


0 


L 


R 


1 


R 


L+f(E(R)+k x ) 


2 


L+f(E (R)+k{) 


R+f{ElL+f(£(Ji)+k l )]+k 2 ) 



It is convenient to employ another set of equations to describe DES. Setting x 0 — EiL), 
x, - E(R) and x 2 ~ E(L+f(.(E(.R)+k\)), we can write a recurrence based on the second 
column of the table above. 

x 0 + x 2 ~ ipi.x^k^) 



where 



4>0c) - Ef(x) 



(1) 
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In fact, if we write down all 1 6 rounds (and perform an extra switch of the two 32 bit subwords 
at the end) , we see that 

x i+l + - <t>(xj+k[) (2) 

given the obvious definition for x { for i — 1,2,..., 16. With this notation, the output of the DES 
algorithm consists of two 32 bit subwords of x 16 and x [S . 



PER ROUND LINEAR FACTOR OF TYPE A 

For reasons that will become clear momentarily, we would like to find a matrix A , and a 
function $ sucn that 

A$bc) -t(Ax). (3) 

for all x. Under these conditions, we say we have an A factor, in honor of A occurring in 
equation (3) above. If (1), (2), and (3) hold, 

Ax i+l + Ax t _\ — ipiAXj+Akj) 

yielding 

y t+i + ^_, -iKy/+'i) W) 

where >>,■ — Ax, , /, — Ak t . Equation (4) is identical in form to equation (2), so the pairs (y,-,/,) 
form a new cipher system. We call this the "mapped" cipher system. y 0 ,y i form the mapped 
plaintext, y l5 and y l6 form the mapped ciphertext and the /,- are the mapped per round keys. 

Let KS t be the key schedule matrix for round i , then the map 

k I— CXS , 1 (k),...,tfS 16 (k)) 

has an image (in K 768 ) of dimension 56. If the corresponding key schedule for the mapped 
cipher, given by 

(A KS^),...^ £S !6 (k)) -1- Ui,...,/ 16 ), 

has dimension n (0 < n < 56) , we can recover the original key as follows. Search over the 
mapped keyspace to find the I producing the correct behavior in a transformed plain/ciphertext 
pair. This costs 2" time. Then go back to the original cipher, looking for the key k in the coset 
of the null space of A mapping to I. This costs 2 56 ~" time. Total cost: 2" + 2 56 ~". 

We need some more notation for later, most of the notation concerns projection operators 
of various sorts to wit: 
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t, Cc „...,*,,) - (0,0,...^c,.,0,-,0) 
Ojjn - iry + • • • +ir m 
Pi ~ 0 6d-l)+l,6i 
Pi - ^40-l)+l,4i 

K (i) - Pi (K 48 ) 

<t> x (y) -<f>(x+y)-<t>(x) 
N A is the null space of A. 



LOOKING FOR AN A 

Now we show that no such non trivial A exists. The following characterization will 
facilitate the search for A . Statement l is the one we want for cryptanalysis. Statement 2 is 
easier to verify; statement 3 is still easier to verify. 

THEOREM l. Suppose A:V > V and <t>:V >V, with A linear. The following are 

equivalent. 

1. There is a i*:W > W such that A<t>(x)~i>(Ax) . 

2. If Ax - Ay then A<j>ix) - A<t>(.y). 

3. For all x in V, <t> x (N A ) QN A 

PROOF. 3 — >2: If Ax - Ay, A(,x-y) - 0 so x-y is in N A . By the conclusion of 3, 
A (<t>(z+(x—y))—4>(z)) — 0 for all z in V. Setting z - y and distributing the A, we get 
A<t>bc) - A<t>(y). 

2 — >3: If r is in N A ,A(x+z) - Abe) for any x; so, by 2, A<t>ix+z) - A<t>(x). Thus, 
A (<f(x+z)-<l>(x)) - 0; so <pbc+z)-4>(,x) is in N A . 

1 — >2: A(<j>(x)-<fi(y)) - ^(Ax)-^(Ay) - 0, the last equality follows from l if x - y. 

2 — > l: Define if/(Ax) — A<t>bc). We need only show that the given map is well defined. If 

Ax - Ay, A<j>(x) - A<j>(.y), so the map is well defined. Note that W is just the image (in V) of 
A. This condition insures that the diagram below commutes. 
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V 




W — W ■ 
Commuting diagram for 2 — -> 1 

By Theorem 1 (3), we want to look for subspaces S satisfying the following condition. 
CONDITION S. 0 x CS) QS for all x in V. 

THEOREM 2. Let T, (a) - span{ S,(a+fe)-S,(i>) , all b in V 6 }. If i * 4 and a ^0 
then Tjia) is If i—4 and a 7* 0, is one of two 2 dimensional spaces, a 3 

dimensional space or the entire 4 dimensional space, 

PROOF. A simple computer program was written to verify these. 

THEOREM 3. Suppose S is a subspace satisfying "condition S". Further, suppose there is 
a y in S with p t (y) ^ 0. If / ^ 4, C S; if j-4, S contains at least a two dimensional 
subspace of . 

PROOF. Suppose u,v are in Then by condition S, 

u' - ct>(,y+u)-<t>(u) - £/ , (5 1 (p 1 (w+>))-5i(p 1 (u)) Siip^u+y^SiipiCu))) 

and 

v* - <f>0>+v)-<£(v) - EP{S x {p x (v+y))-S x {p x {v)) 5 s (p,(v+>'))-Sg(p i (v))) 

are in S. u'—v' must also be in S and pj(u+y) — p^(v+y) — Pj(y) if j i. So, 

u'-v* - EP (0,0,...,0^,. (p,- (« +y))-S i (p, (p,- (v+^))+5,- (p, (v)),0,...,0) 

is also in S. Setting 

T(u,v) - S^p^u+yV-SjipjiuK-Siipib+yV+SjipiM), 

theorem 2 tells us that span{r(u,v): «,veK (i) ) is all V i0 if j ^ 4 and is at least a two 
dimensional subspace of V u) if j-4. Thus, if / ^45 contains EPiV^) - W {i) ; if i"-4, EP{S) 
is (at least) a two dimensional subspace of QED. 

REMARK. We say output block k is affected by input block i if at least one of the bits of 
is calculated using S box i. EP switches and expands outputs from the S box calculation so 
its easy to see that output block k is affected by input block / iff n W^^Q. 
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Effect of 6 bit (input, output) blocks on (x, 0Cx)) 


In block 


Out block (round l) 


Out block (round 2) 


1 


7,4,2,5,6,8 


all blocks 


2 


6,8,3,7,5,1 


all blocks 


3 


5,1,4,6,7,2 


all blocks 


4 


7,2,5,8,3,1 


all blocks 


5 


3,1,2,6,4,8 


all blocks 


6 


4,8,7,1,3,5 


all blocks 


7 


3,5,4,2,8,6 


all blocks 


8 


2,6,3,1,7,4 


all blocks 



LEMMA. Suppose S is a subspace satisfying "condition S" and suppose / ^ 4. If a 6 bit 
output block k is affected, during the calculation of <^(x), by a bit from a six bit input block i 
and if S contains a y, such that p,Cj>) ^ 0, then W^QS provided k & 4. If k-4, there is at 
least a two dimensional subspace of contained in S. 

PROOF. If output block k is affected by input block /, p^W 0 *) n V ik) * 0. Since 
pfy) 0, theorem 3 yields £ S; this, in turn, means there is a y in S such that 
Pk (y) * 0. Applying theorem 3 again, we get £ S, if k ^ 4; if jfc-4 there is a two 
dimensional subspace, W, W £ S, with W £ W (k) . This is exactly what the lemma claims, so 
we are done. QED. 

THEOREM 4. If S is a subspace satisfying "condition S" and S ^ 0 then S - W. 

PROOF. We prove this by pumping up S to W. Suppose 5^0, then there is an /' 
(1 < i < 8) and a y in S with p,- (y ) ^0. 

For the sake of simplicity, let's assume r — 1, so p x (y) ^ 0. By theorem 1, W^ x) £ S; by 
the Lemma, fV (k) £ S, for k — 2,5,6,7,8 and, in addition, there's at least a 2 dimensional 
subspace of W (4) in 5. Now, £ S so by reapplying the Lemma, we get W (k) £ 5, for 
k - 2,3,5,6,8. To recap, pfy) ^ 0 implies that W (k) £ S for k * 4. 

2 n F (4, )-K <4) . It's easy to see that K (4) £ 5 implies W w £ S. Thus W a) C 5 

k-1,3,5,6,8 

for 1 <fc <8, hence S-W. 

For values of i other than 1 and 4 the argument in the preceding paragraph applies 
mutatis mutandis. If p 4 (y) ^ 0, the table and Theorem 3 show that W (4) n V M ^ 0 for some 
n in {1,2,3,5,7,8}. Thus, for some y in S p ( (y) 0, for some / * 4 provided only that S 0. 
By the above argument, S — W. QED. 
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REMARK. The proof of the theorem above basically "reapplies" the mapping <p x (y) for 
non zero y in 5 until <f> x gobbles up S. 



EXTENSION TO AB FACTORS 

We have called the sort of per round linear factor discussed above an A factor, in honor 
of the equation 

A4>(x) - $Ux) 

which holds for all x. A fancier kind of factor is the AB factor, which we now discuss. Here we 
suppose we are given a pair of linear maps A and B, and a possibly non linear function ^, so that 
for all x both of 

A<t>(x) - yfriBx) 

and 

B<f>(x) - +(Ax) 

hold. Clearly an A factor is an AB factor: just let B — A. 

A non trivial AB factor can also be used to solve the DES. One applies A and B 
alternately to the DES rounds. Let 

T,-A 

if / is even and 

7, -B 

if i is odd. Then 

.V; ~ T t x t 
h ~ T> k, 

and 



as in equation (4) above, 
keyspace. 



This is a factor cryptosystem of DES type, but it may have a smaller 
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Unfortunately, if an AB factor exists, so does an A factor. This follows from the 
following fact, whose proof is easy: 

THEOREM 5. Let 

4> : V >V 

JV l >W 2 

ti- w 2 —>w x 

7V V >W X 

T 2 : V >W 2 

be maps between vector spaces, <t>, i/^, and \p 2 not necessarily being linear. Suppose, for all v in 
V we have 

T 2 (0(v)) -^,(r,0c)) 

and 

TiWv)) -^ 2 (r,(*)). 

Then there is a vector space W and a linear map A:V > W and a function ip-.W > W such 

that for all v in V, 

A(<t>(v)) -iU(x)). 

PROOF. Let W - W X QW 2 . Then A (v) - (T ^v) J 2 (y)) and 
$(w 1 ,w 2 ) — (sl/ x (w x )sl/ 2 (.w 2 )) satisfy the conclusion of the theorem. QED. 



EXTENSION TO a0y FACTORS 

Stepping back a moment, we might say that the point of the above attack is to find a per 
round linear relationship among the (plaintext ,ciphertext , key) triples. If we don't insist that the 
relationship be linear, a broader attack may hold. For example, consider the following, which we 
call an a(iy factorization. 

Let <Tj be a basic enciphering operation (like a round of DES) depending on the key bits 
k f Then the plaintext Xq is converted to the ciphertext x„ by the iteration x /+1 — 07 Ofy). Suppose 
we can find a, ft, and y with y linear satisfying 
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a(x)+ / 8(<7,(x))+7(k i ) -0 (5) 

and 

0(x) + «( ff/ (x)) + y(ki) - 0, (6) 

(Equivalently, we might require 

a(x)+a(<r, (x)) -/J(<r,(x))+0(x) (7) 

instead of (6).) Now we can apply (5) to the enciphering equations, yielding (term by term) 

a(x,)+/3(x, +I ) - ?&,-) 

and, on summation, 

"2a(x,) + sWz+i) - "stQs*)- 

i-0 i-0 i-O 

Rearranging and using (2) and canceling terms appearing an even number of times, we get 

a(x<)) + a(x„) - SyOi,-) (7) 

i-0 



when n is even and 



0(xo) + a(x.) - n 27(k/) 
i-0 



when n is odd. Belaboring the point, we might write 



n-l 

aiplaintext) + aiciphertext) - ^(k,) (8a) 

i-0 



n-l 

piplaintext) + aiciphertext) - 27(k,). (8b) 

i-o 



To use such a relation to help find the key, suppose we are trying to find a key in V k . Let 
W be the 1 dimensional subspace satisfying (8a) or (8b). Instead of searching all elements in 
V k , restrict the search to elements of W. This produces a computational savings of Vi\ if many 
such relations can be found, determination of the key (even for a large keyspace) would be quick 
and painless. 



387 



Whether a,fi,y satisfying (5) and (6) exist is a deep question. Sometimes their existence 
and discovery are not too difficult. For example, Equation (6) automatically holds if (5) holds 
and cr,- is an involution. Significantly, it is easy to show that (6) also holds for a round of DES 
(where (7,-^X,) if (5) holds with <r,- - X,- and a0i(x))+/3(jt(x)) - a(x)+0(x). If an S box had a 
non trivial affine dependence, we could manufacture such functions in the following manner. 
Suppose we had 

MS(x) + L(x) - 0 

for some S box S with M and L matrices of size 1 x4. Set a — M and /S — y — L. As a 
consequence of the above relation, we have 



aCS(x,)) + 0(x,-) - 0 

or since 0— 7 is linear 

aCS(x,)) + 0(x) - 7 (k,) 

It is easy to see how to modify a,0 and y when we replace S by the 07 of DES. 

Once again, no S box has this linear property. But this begs the larger question: Do any 
such aS,y exist for DES? Unfortunately, it can be shown that any apy factor already takes this 
form. To see this, it will be convenient to switch notation. Writing a round of DES as 

(x,y) I—- (y,x+/(y+k,)) 

equation (5) becomes 

a(x,y) + /3((y,x+/(y+k,))) + 7 (k,) - 0 (9) 

/, being the cryptographic function defined in the section on DES notation. Now set y - 0, and, 
as before, let <j>(x) - Efbc). Let P be a quasi inverse of E on V n , i.e., PE(x) - x for x in 
V n . Now make the following definitions (Caution: the / below is not the same as the / in 
equation (5); also, remember that P is not the P defined in the section on DES notation.) 

g(x) - a(Px,0) 



h Gc) - 7 (jc) 
fix) - 0(0 J»x) 

Then for all x and y in W (— K 48 ), 

g(x) +h(y) -fbc+4>(y)) 



We now show that the above equation holds only if / is affine. 
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THEOREM 6. Suppose <j>:W > W and that for all x, y in W 

f(x+4>{y)) -gOc) +h(y) 

where h is linear and gia) — 0 for some a in W. If Imaged^) is an abelian group then / is 
affine on Image(^). Since / is affine and h is linear, g is also affine. 

Proof. 

f(x+<l>{y x +y 2 )) - gbc)+h(y l )+h(y 2 )-f(x+<t>(y l ))+h(y 1 ) - f(x+<l>(y 2 ))+h(y l ) (*) 
Since we are in GF(2), 

/(*+,£(>>,)) -fbc+<j,(y 2 )) +k(y { ) + h(y 2 ) 

gia) - 0 and (*) imply 

f(jc+<f>(.y{)) - f(x+<j>(y 2 )) + f{.a+<$,(yj) + f(a+<t>(y 2 )) 

Since the image of <f> is in W and a is in W, we can set x — a + <j>(y 2 ) yielding 
fWyJ+tiyJ+a) - /(a+0(y 1 ))+/(a+0(^ 2 ))+/(a) 

Finally, since Image(tf>) is an abelian group, for all u u u 2 in Imaged), ' we can find y\^ 2 in W 
with u x — <t>(y\), «2 ~ <i>(y-2) giving: 

/(u,+« 2 +a) -/(«+«,) + /(a+u 2 ) + 

Setting I be) — f(x+a), this becomes 

/(«!+u 2 ) - /( Ul ) + l(u 2 ) + c 

as claimed. 

THEOREM 7. DES has no per round linear factors of aJ3,y type. 

PROOF. If DES had a per round factor of a,/J,7 type, then by theorem 6, the factor 
functions would express a (non trivial) affine relationship among the input, output, and key bits 
of a round. Since the outputs of different S boxes are algebraically independent, it suffices to 
show that no such relationship holds among the four output bits of any of the eight S boxes. 
Application of the following lemma concludes the proof. 

LEMMA. Let S 4 ( / _i) +J - denote the j'th bit of S box Then for all i, 

4 . 6 

2«^40-0+Ai- • • • >*6)+2 ~ 1 bjXj+d-Q 
J -i J 

implies that aj - b k - 0 for j - 1,2,3,4, k - 1,2,...,6. 
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PROOF. Linear algebra applied to the truth tables of all of the output bits of all of the S 
boxes. QED. 



CONCLUSION 

DES seems to have no non trivial linear per round factor structure. It's hard to imagine a 
non linear per round factor structure that is useful for cryptanalysis. It is barely possible DES 
has a non trivial global factor structure that induces trivial factor behavior per round but nobody 
we know has a clue about what that would look like. The conclusion is that DES will not be 
solvable by factorization. 

Nothing in this note says anything about approximate factorizations, or factorizations 
that usually hold, nor have we given up on finding non linear per round factors that yield 
tractable (non linear) constraint equations. 
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A MESSAGE AUTHENTICATOR ALGORITHM SUITABLE FOR 
A MAINFRAME COMPUTER 
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INTRODUCTION 

Authenticators are widely used to protect payment messages 
against active attack. They produce a number, sometimes called a 
•MAC* which is a function of the whole message and a secret key. 
the earlier name for them in banking was 'test-key*, but this 
obsolescent term is confusing to cryptographers. 

Several algorithms now in use, such as that of S.W.I.F.T. and the 
Data Seal are not revealed to the public. Authenticators based 
on the DEA 1 and the DSA algorithms (decimal shift and add - for 
decimal calculators) are public but neither is well adapted to 
mainframe computers. 

Bankers Automated Clearing Services (BACS) suggested the need for 
a 'mainframe authenticator ' and together, with a colleague, David 
Clayden, we developed this one, known in banking circles as 
'MAA' . 

The algorithm attracted the attention of the 'Test Key Working 
Party' of the CLCB (Committee of the London Clearing Banks) who 
arranged for independent testing of the algorithm. It is also 
being considered by an ISO working group. 

G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPTO '84, LNCS 196, pp. 393-400, 1985. 
© Springer- Verlag Berlin Heidelberg 1985 
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DESCRIPTION 



The definition of the algorithm is contained in an NPL Report 
DITC 17/83 dated February 1983 with the same title as this paper, 
by D. W. Davies and D. 0. Clay den. All I can do here is to 
sketch out its structure . Serious Study requires a copy of the 
definition. NPL is the UK National Physical Laboratory at 
Teddington, Middlesex, TW1I OLW, UK. 

The key has two numbers, J and K, each of 32 bits. All words 

used in the algorithm are 32 bits long. When a new key is 

installed, a key calculation called the 'Prelude' produces 6 

numbers X , Y , V , w, S, T which are used in the rest of the 
0 0 0 

algorithm. The choice of J, K is unrestricted. 



Multiplication is the principal tool of this algorithm and is 

32 32 
used in two varieties, modulo 2 - 1 and modulo 2 - 2. The 

prelude is mainly the following calculation : - 

4 4 
X = J ( 1 ) XOR J (2) 
0 



I" 5 5 1 

JK (1) XOR K (2)j(1 + 



Y = |K (1) XOR K (2)|(1 + P) 
0 

6 6 

V = J (1 ) XOR J (2) 
0 

7 7 
W = K ( 1 ) XOR K (2) 

8 8 
S = J ( 1 ) XOR J (2) 

9 9 
T = K (. 1 ) XOR K (2) 
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32 32 

Where 1 and 2 refer to the two moduli 2 - 1 and 2 - 2 
respectively and XOR is bit-wise on a 32 bit word. 

The eight bytes J,K are first treated by a procedure to replace 

any byte which is 0000,0000 or 1111,1111. A resultant number 

P records the changes made and its use in calculating Yo avoids 

reducing the key space. The pairs X , Y ; V , W and S,T are 

0 0 0 

similarly treated to remove runs of zeros or ones before they are 
used in the body of the algorithm. 

The main part of the calculation (we considered calling it the 

Fugue) takes in the message in blocks M of size 4 bytes and, for 

i 

each one repeats the steps in Figure 1. The variables X, Y, V 

are initialised to X , Y and V respectively. For each block, V 

0 0 0 

is cyclic shifted left one bit and XORed with W to produce E. 

32 

The + operations are modulo 2 . The constants A, B, C, D are 
used in the logical operations to set 8 bits of each numbers (F 
and G) to fixed values. The aim is to avoid bytes of all zeros 
or all ones in the multipliers F and G, as well as to introduce 
non-linearity. The two multiplications with different moduli 
complete the round. 

The authenticator value to be produced at the end of the 
calculation is simply Z = X XOR Y, but after the last message 
block has been used, the numbers S and T are used as message 
blocks for two rounds (as if appended to the message) before the 
final XOR operation. This last part, producing Z, is called the 
Coda. 
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PERFORMANCE 

Since this algorithm is designed for a 32 computer containing a 
multiplier, the performance figure, for a typical IBM 
configuration would be of interest. But in the time that has 
passed since the report was published, no such measurements of 
performance have been reported to us. An assembly language 
program for a microcomputer (2 MHz 6502 = BBC Micro) take3 47 ms 
for the prelude and coda and 5.92 ms for each block of message 
(675 byte/s or 5405 bit/s). Since this uses a programmed multi- 
plication it is not the way that MAA was designed to be used. 
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TESTING 

We have no positive reason for confidence in the security of the 
algorithm but at each stage of testing we tried all the 
input/output dependancies and statistical distributions we could 
think of. We also used a zero message and some constant messages 
(such as all ones) and looked for loops. 

Most of the testing was done with altered versions of the 
algorithm deliberately weakened in someway. For example, we 
demanded in most cases that both the X and the Y values should 
show good statistical properties (and confirmed the results with 
Z). We reduced the number of fixed bits in A, B, C, D and 
removed E & S and T, though not all these at the same time. For 
sensitivity to key changes we varied separately the six outputs 
of the prelude, before testing with the prelude in place. 

At several stages of development, problems were found and fixed, 
but we found the fixes had to be carefully thought through to 
avoid bringing back old problems. When all our weakened tests 
were passed we tested it again in its complete form. 
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PROBLEMS 



Two problems have been pointed out . If X becomes zero and M 

i 

remains zero then X remains zero. If you know X you could make 

M = X and engineer this zero value. If both X and Y becomes 
i 

zero and M remains zero then X and Y remain zero. In this last 
i 

case any set of consecutive zero message blocks can be inserted 
without changing the value of the authenticator . This is indeed 
a flaw but can anyone suggest how an opponent would use it, not 
knowing when X = Y = 0, a very rare event? 



The second problem was posed by H. Block of SAK Data AB in 'File 
Authentication - A rule for constructing algorithms*, at 

Eurocrypt 84. If all the M are fixed, each round of the main 

i 

loop maps (X,Y) into (X,Y) with a mapping that is in jective . For 

an approximation, assume that these are random mappings. Now 

imagine that 3-4 early blocks in a very long sequence are varied 
64 

so that all 2 states of X,Y are attained at some point in the 

sequence of rounds. With constant M values thereafter, each 

i 

mapping reduces the number of attainable states. When it falls 
34 

below about 2 , there is a significant risk that values of Z 

32 

will be missing from the set of 2 . Eventually, the 'memory' 

of these early changes of M will be lost. Block concludes that 

i 

injective functions should never be used. He thinks that the 
problem may be worse than we see when random mappings are 
assumed . 
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During the testing of the algorithm with 'toy' examples this 
effect was detected and (though with only a few cases to estimate 
from) its magnitude agreed with the theoretical value for random 
mappings, so we are content to rely on that theory. If we used 
the argument that 'it might be much worse 1 this would disqualify 
all but provably secure algorithms, of which there is a shortage. 



ANALYSIS OF THE 'LOSS OF MEMORY ' PROBLEM 



Suppose that the number of states is N and that a set X of these 

i 

is mapped by a random mapping into the same domain, giving X 

i+1 

distinct states. Then approximately (Poisson distribution) 



X /N = 1 - exp (-X /N) 
i + 1 i 

If the sequence is evaluated, starting at X /N = 1, it follows, 

o 

to a close approximation: 



X /N = 2/{i + 1/3ln(i) + 9/5} 
i 



64 32 

In the example of the MAA, N = 2 and x^ = 2 is reached 

approximately when i = 2 With, say, 10 blocks of data in 

q 

the message (4 x 10 bytes), there should be no perceptible 

effect. In fact, to measure the effect would require a sample of 
33 

much more than 2 blocks. 
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6 

We have suggested an arbitary, but very safe upper limit of 10 
blocks for any one message. Other considerations (error control 
and recovery) usually set a lower limit then this. 

Acknowledgement is made to the National Physical Laboratory for 
supporting this work and to Open Computer Security for help with 
the presentation of this paper at Crypto '84. 
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1 . INTRODUCTION 

In this paper we consider a system whose function is to enable users to 
pay for goods or services by direct electronic transfer of funds. The 
system consists of terminals , located at retail outlets, which can 
communicate with acquirers representing various financial institutions. 

Each user of the system has a plastic card and a personal identification 
number (PIN) issued by a financial institution represented in the 
system. Affixed to the plastic card is a magnetic stripe, which bears 
the card holder's personal account number as well as other data such as 
the expiry date of the card. The PIN is typically four decimal digits 
long, and is effectively the card holder's electronic signature. He is 
expected to treat it as such, and refrain from divulging it to 
unauthorised third parties. Of course, the card holder in turn expects 
that his PIN will be adequately protected by any authorised body which 
has knowledge of it. 

Throughout this paper we make the simplifying assumption that an 
acquirer holds a complete data base for every card issued by the 
financial Institutions it represents. In particular, an acquirer has a 
record of corresponding PINs and card data for all of those cards it is 
authorised to handle. In addition, we assume that the acquirer is in a 
position to endorse every transaction made with these cards. 
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When a card holder wishes to make payment for a purchase from the 
retailer, the plastic card is presented, and the data encoded on the 
magnetic stripe is read by the terminal. This gives the terminal data 
related to the card holder, and identifies the acquirer for the 
particular transaction. The card holder separately enters his PIN. 
The retailer enters the details of the purchase, and the terminal then 
communicates with the acquirer, whose function is to ratify the 
transaction. This entails checking that the card is valid, that the 
account contains sufficient funds for the purchase, and that the PIN and 
card do in fact correspond. It is in this sense that the PIN acts as 
an electronic signature to authenticate the card holder to the acquirer. 

Having completed these tasks , the acquirer informs the terminal that 
the purchase can proceed (or otherwise), and then arranges for the 
appropriate funds to be credited to the retailer from the card holder's 
account. 

Clearly, it is essential that the PIN should be kept secret, that the 
transaction messages should be protected against corruption or 
intentional change during transmission, and that all parties should 
authenticate each other. These security requirements can all be 
satisfied by using cryptographic functions based on block ciphers such 
as the Data Encryption Algorithm [3]. Indeed, techniques to achieve 
this are published in a number of papers, notably [4] and [5], which 
describe PIN encryption and message protection respectively. The main 
problem is not the performance of the security functions themselves, but 
rather management of the enciphering keys. 

To understand some of the problems involved with key management, let us 
reconsider our entire system. Clearly, security will certainly be 
enhanced if all encryption and authentication takes place on an 
end-to-end basis without additional parties becoming involved. This 
also has the added advantage that it makes the system network 
independent, which means that in theory any transmission medium can be 
used, and in practise it is possible to use an alternative media should 
the primary one fail. Now our system may well have hundreds of 
thousands of terminals communicating with a hundred or so acquirers. 
Thus the problem of distributing the multitude of cryptographic keys is 
paramount. Consequently, if end-to-end security is to be used, it is 
obviously desirable that the system is equipped with a procedure for 
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automatically updating the keys. Of course when attempting to design 
such a procedure, one must bear in mind that it should not be possible 
for one acquirer to inadvertently compromise the keys of another. 
Taking this consideration a little further, it is clearly desirable that 
disclosure of a key should compromise at most one transaction. A 
system with this feature offers scant reward for anyone who manages to 
gain knowledge of a particular key. Finally, it must be stressed that 
our terminals are at most tamper-resistant and certainly not 
tamper-proof. In particular, a key housed for any length of time in a 
terminal cannot really be considered safe enough to be used to encipher 
a PIN. Once again, this points to the desirability of a system which 
automatically generates a fresh key for each transaction. 

The fresh key per transaction, or transaction key, approach was 
introduced in [ 1 ] as a way of overcoming some of these key management 
problems. The present article expands on the ideas of that paper, and 
develops a protocol for key management in the electronic transfer of 
funds system defined above. It should be stressed that the techniques 
are applicable to more general systems than the one chosen here. Our 
choice was made on the basis of requiring a system which reflected many 
of the central problems of key management, without being so complex that 
it overshadowed the salient features of the scheme. For a discussion in 
a wider context the reader is referred to [2]. For simplicity of 
description, the protocols are defined for a basic request-response 
message flow between a terminal and an acquirer. The scheme is such 
that confirmation of (non-) completion at a terminal of a particular 
transaction is automatically conveyed by the next request from that 
terminal to the acquirer. This does not mean that the system will not 
support a confirmation message within a transaction. Indeed, the 
protocols are readily adapted to accommodate a far more comprehensive 
dialogue than the one described here. 

Throughout the paper, we shall base all cryptographic functions needed 
to describe our key management protocols on the Data Encryption 
Algorithm (DEA) . Of course, this is just a convenience, and it is 

not necessary to appreciate how the algorithm works. All that is 
required is to know that it transforms 64 bit blocks of clear text to 64 
bit blocks of cipher text under control of an enciphering key. The key 
is also 64 bits in length, but only 56 of the bits are actually used by 
the enciphering algorithm. We shall denote the clear text input to the 
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algorithm by DATA, the resulting cipher text block by CIPHER and the 
controlling key by KEY. Thus, for our purposes, the enciphering 
algorithm E is described by 

E(KEY) : DATAi—> CIPHER 

Having established this notation, we return to our system and describe 
how the transaction keys are generated, 

2. TRANSACTION KEYS 



We make use of the well known concept of including some card holder 
dependent data on the magnetic stripe of the card, and refer to this 
data as the card key . This data is read by the terminal but is not 
itself transmitted. In addition, the terminals contain a key register 
for each acquirer with whom it is authorised to communicate. 

Let us assume that our system is up and running, and that a card holder, 
wishing to pay for a purchase, presents his plastic card to the 
terminal. The terminal then reads the card key and the card holder's 
personal account number (PAN) , and identifies the acquirer for the 
particular card. The transaction key is then generated at the terminal 
as a one-way function of the card key and the value in the key register 
for the particular acquirer. 

Assuming the one-way function is to be based upon the DEA, then the 
transaction key might be generated as follows: 

DATA •< card key 

KEY ^ key register value 

transaction key ^ • CIPHER © DATA 

Of course, the terminal must provide the acquirer with sufficient 
information to generate the transaction key at his end. To accomplish 
this, the request message from the terminal includes in clear text the 
card holder's PAN and the terminal's identification. The acquirer 
maintains a key register for each terminal in the system, and the value 
in the register for a particular terminal agrees with the value held by 
that terminal in its key register for the acquirer. Since by 
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hypothesis the acquirer holds a complete data base for every card it is 
authorised to handle, the acquirer has a list of corresponding card keys 
and PANs. Thus the acquirer is able to construct the transaction key 
by identifying the card key from the PAN and the key register value from 
the terminal identification. 

We have defined the transaction key as a function of two independent 
variables, the card key and the key register value, which is generated 
by both parties precisely when it is needed. In general, it is not 
possible to predict its value in advance because of the element of 
randomness provided by the card key. Naturally, we must update the key 
register value at the end of the transaction, and we also wish to make 
this updating a random process. As we shall see, this second element 
of randomness is provided by the unpredictability of the messages 
exchanged during the transaction. 

3. THE REQUEST MESSAGE 



Once the terminal has read the card and constructed the transaction key, 
details of the transaction are entered and a request message is 
compiled. This message must include the card holder's PAN and the 
terminal identification, both in clear text. In our system it will also 
include the card holder's PIN (or PIN offset), which should be 
separately entered and enciphered under the transaction key before being 
inserted in the message. It may also include other cipher blocks as 
well. 

Having compiled the request message, the terminal must now add an 
ingredient which protects it against change. In addition, the terminal 
must have a procedure to authenticate the acquirer, and a way of 
checking that the acquirer's response does indeed pertain to the 
particular request. These three authentication checks are achieved by 
generating a message authentication block (MAB) under control of the 
transaction key. Generation of this block follows the procedure 
described in [5] for constructing a message authentication code (MAC). 
The message is divided into n blocks 
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each 64 bits ia length. The DEA is then used to process these blocks 
sequentially under control of the transaction key. More precisely 

KEY <: transaction key 

and n data blocks 

DATA1, DATA2, DATAn 

are sequentially processed under KEY to produce cipher blocks 

CIPHER1, CIPHER2 CIPHERn 

where 

DATA1 = B : 

and 

DATAj = CIPHER( j-1) 0 Bj 

for j = 2, 3, , n. The request MAB is defined to be the 

final cipher block CIPHERn. 

The left hand half of the MAB forms the request MAC. This is inserted 
into the message before transmission, and allows the acquirer to verify 
that the message has not been changed during transmission. The 
remaining 32 bits of the MAB form the request residue . This is 
retained by the terminal, and used later to authenticate the acquirer as 
the originator of the response message, and to confirm that the response 
corresponds to the request. It is also used in the key register 
updating procedure. 

When the acquirer receives the request message, it generates the 
transaction key, removes the request MAC from the message, and then uses 
the algorithm described above to generate a MAB for the truncated 
message. The left hand half of the MAB is then compared with the 
request MAC retained from the received message in order to confirm the 
message integrity. If the two do in fact agree, then this also 
authenticates the terminal to the acquirer because their key register 
values must be identical. Once the request message has been 
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authenticated, the right hand half of the MAB is retained by the 
acquirer as the request residue. 

4. THE RESPONSE MESSAGE 

When the acquirer has finished checking the transaction details, he 
prepares a response message, and generates a MAB under control of the 
transaction key. The MAB generation procedure for the response message 
is slightly different from that described for the request message. The 
acquirer first adds the request residue to the beginning of the 
response, and then constructs a MAB for the extended message. The 
rationale for constructing the response MAB on the extended message is 
to tie the response to the request which prompted it. This enables the 
terminal to authenticate the acquirer as the originator of the response, 
as well as to confirm that the response does indeed correspond to the 
request. 

The left hand half of the response MAB is the response MAC. This is 
inserted into the response message after the request residue has been 
removed, and is used by the terminal to authenticate the message. The 
other half of the response MAB is called the response residue . This is 
retained by the acquirer, along with the request residue, to be used to 
update the key register. 

When the terminal receives the response message, it removes the response 
MAC, adds the request residue to the beginning of the message, and then 
generates a MAB for the extended message. The left hand half of the 
MAB is then compared with the request MAC retained from the incoming 
response message. If the two agree, then the terminal has 
authenticated both the message and the acquirer and confirmed that the 
received response corresponds to the original request message. Once 
authentication has been completed, the terminal retains the right hand 
half of the MAB as the response residue, and completes its end of the 
transaction. 
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5. KEY REGISTER UPDATING 



After the acquirer has transmitted the response message, the transaction 
key is destroyed, the current key register value is stored, and the key 
register is updated. The reason for retaining a copy of the key 
register value will be explained later. First, we describe the key 
register updating procedure. 

The new value of the key register is a one-way function of the current 
value, the request residue and the response residue. If we use the 
same one-way function as we used to generate the transaction key, then 
the updating procedure may be defined by: 

DATA < . (request residue, response residue) 

KEY •* key register value 

key register value CIPHER ©DATA, 

where the input to DATA is a concatenation of the request and response 
residues. Thus the new key register value depends upon the old value 
and the message residues . Since the message residues depend upon the 
messages exchanged and the transaction key, which itself depends upon 
the card key, the new key register value is in general quite 
unpredictable . 

The terminal destroys the transaction key and updates its own key 
register value after it has authenticated the response message; the 
updating procedure being identical to that of the acquirer. Of course, 
if the response message fails to reach the terminal or fails to be 
authenticated, then the terminal's key register value remains unaltered, 
although the acquirer's has already been updated. It is precisely for 
this reason that the acquirer retains a copy of the previous value in 
its key register, for this enables the system to recover from the 
situation. 

Suppose then that the acquirer has updated its key register, but the 
terminal has failed to do so. On receipt of the next request from the 
terminal, the acquirer constructs a new transaction key, and then 
attempts to authenticate the message. Naturally, this will fail 
because the terminal is still using the old key register value. The 
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acquirer then replaces its key register value by the old value it has 
retained, and generates a transaction key based on this value. If 
authentication is now successful, then the acquirer recognises that the 
previous transaction did not complete at the terminal, and can take the 
necessary action. Moreover, the terminal's and acquirer's key 
registers now agree, so that synchronisation is recovered and the 
current transaction can proceed as normal. 

The above discussion highlights one other feature of the system. 
Completion of a transaction at a particular terminal is confirmed to the 
acquirer by successful authentication of the next request received from 
that terminal. 



6. CONCLUSION 



There are a number of points to note regarding the key management scheme 
described in this paper. First, the transaction key is end-to-end and 
unique to the particular transaction. Even if an unauthorised person 
gained knowledge of a transaction key and the card key of the next card 
presented at the terminal for use with the same acquirer, this would not 
be sufficient to deduce the next transaction key. Similarly, it is not 
possible to deduce anything about the previous transaction with that 
acquirer. Thus the rewards for breaking a single key are indeed small. 
Secondly, key management is automatic, and a transaction key is 
unpredictable (because it depends on a card key and the value in a key 
register, and this value depends upon the previous value, the previous 
card key and the messages exchanged during the previous transaction) . 
Thirdly, confirmation that a transaction completed at a terminal is 
inherent in the next communication between the terminal and acquirer. 
Fourthly, it should be noted that a log-in is not required, and the 
system does not need to be shut down for the purpose of distributing new 
keys. Fifthly, even if someone breaks into a tamper-resistant terminal 
and obtains the key register values for some acquirers, the information 
is useless to them just as soon as bona-fide cards are presented at the 
terminal for use with these acquirers. This removes some of the need 
for high physical security of the terminals. 

The reader will probably have noted that we have described protocols for 
a system which is already operational, but have not 
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mentioned how the system is initialised. This could be handled in 
several ways, and we shall make three suggestions. First, it is not 
inconceivable that a public key cryptosystem could be used to provide 
initial values for all key registers. Alternatively, each acquirer 
could insist that when a terminal is installed a test transmission using 
a test-card should preceed all other transactions. This same test-card 
might also be used to re-initialise in the event of a catastrophic 
failure. A third possibility is that an acquirer might well simply 
choose to ignore the problem, bearing in mind that once a bona fide card 
is presented the terminal - acquirer link attains full security. 

Finally, we mention once again that the key management scheme outlined 
in this paper is applicable to more general systems than the one we have 
described. The techniques can be adapted to cover the situation where 
the acquirer does not hold a complete data base for each card it is 
authorised to handle, and to provide for a more extensive dialogue 
between terminal and acquirer. 
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ABSTRACT 

We consider a communications scenario in which a transmitter attempts to inform 
a remote receiver of the state of a source by sending messages through an imperfect 
communications channel. There are two fundamentally different ways in which the 
receiver can end up being misinformed. The channel may be noisy so that symbols in 
the transmitted message can be received in error, or the channel may be under the 
control of an opponent who can either deliberately modify legitimate messages or 
el3e introduce fraudulent ones to deceive the receiver, i.e., what Wyner has called 
an "active wiretapper" [1]. The device by which the receiver improves his chances 
of detecting error (deception) is the same in either case: the deliberate intro- 
duction of redundant information into the transmitted message. The way in which 
this redundant information is introduced and used, though, is diametrically opposite 
in the two cases. 

For a statistically described noisy channel, coding theory is concerned with 
schemes (codes) that introduce redundancy in such a way that the most likely alter- 
ations to the encoded messages are in some sense close to the code they derive from. 
The receiver can then use a maximum likelihood detector to decide which (acceptable) 
message he should infer as having been transmitted from the (possibly altered) code 
that was received. In other words, the object in coding theory is to cluster the 
most likely alterations of an acceptable code as closely as possible (in an appro- 
priate metric) to the code itself, and disjoint from the corresponding clusters 
about other acceptable codes. 
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In [1,2] the present author showed that the problem of detecting either the 
deliberate modification of legitimate messages or the introduction of fraudulent 
messages; i.e., of transmitter and digital message authentication, could be modeled 
in complete generality by replacing the classical noisy communications channel of 
coding theory with a game-theoretic noiseless channel in which an intelligent oppon- 
ent, who knows the system and can observe the channel, plays so as to optimize his 
chances of deceiving the receiver. To provide some degree of immunity to deception 
(of the receiver), the transmitter also introduces redundancy in this case, but does 
so in such a way that, for any message the transmitter may send, the altered mes- 
sages that the opponent would Introduce using his optimal strategy are spread ran- 
domly, i.e., as uniformly as possible (again with respect to an appropriate metric) 
over the set of possible messages, tn. Authentication theory is concerned with 
devising and analyzing schemes (codes) to achieve this "spreading." It is in this 
sense that coding theory and authentication theory are dual theories: one is con- 
cerned with clustering the most likely alterations as closely about the original 
code as possible and the other with spreading the optimal (to the opponent) altera- 
tions as uniformly as possibly over IU. 

The probability that the receiver will be deceived by the opponent, P^, can be 
bounded below by any of several expressions involving the entropy of the source 
H(S), of the channel H(M), of the encoding rules used by the transmitter to assign 
messages to states of the source H(E), etc. For example: 

(1) log P d i H(MES) - H(E) - H(M) 

The authentication system Is said to be perfect if equality holds in (1), since 
in thi3 case all of the information capacity of a transmitted message Is used to 
either Inform the receiver as to the state of the source or else to confound the 
opponent. In a sense, Inequality (1) defines an authentication channel bound simi- 
lar to the communication channel bounds of coding theory. Constructions for perfect 
authentication systems are consequently of great interest since they fully realize 
the capacity of the authentication channel. In the paper given at Crypto 84 we 
analyzed several infinite families of perfect systems and also extended the channel 
bounds to include cases In which the opponent knew the state of the source. Here we 
have the more modest goal of rigorously deriving the channel bound (1) and then 
using this result to derive a family of related bounds. 

FUNDAMENTALS 

In authentication, there are three participants: a transmitter who observes an 
information source S and wishes to communicate these observations to a remotely 
located receiver over a publicly exposed, noiseless, communications channel and a 
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receiver who wishes to not only learn what the transmitter ha3 observed but also to 
assure himself that the communications (messages) that he receives actually came 
from the transmitter and that no alterations have been made in transit to the 
messages sent by the transmitter. The third participant, the opponent, wishes to 
deceive the receiver into accepting a message that will misinform him as to the 
state of the source. He can achieve this end in either of two ways: by imperson- 
ating the transmitter and sending a fraudulent message to the receiver when in fact 
none has been sent by the transmitter, or else by waiting and intercepting a message 
sent by the transmitter and substituting some other message. There are two possi- 
bilities to be considered; the opponent may either know or not know the state of the 
source; he does however know the message sent by the transmitter. Using this 
information, in either case, he can choose some other message to forward to the 
receiver. The opponent "wins" if the receiver accepts the fraudulent message in any 
of these situations as being a genuine (authentic) communication from the trans- 
mitter, and thereby ends up being misinformed about the state of the source. We 
have defined the authentication problem in its narrowest sense here; however, the 
model can be easily extended to Include cases in which the source can he influenced 
(controlled) by either the transmitter or the opponent or in which the opponent's 
objectives are more restricted — i.e., he may wish to deceive the receiver into 
believing the source is in some particular state(s) not merely an arbitrary decep- 
tion of the receiver. It is beyond the scope of this paper to treat these other 
authentication concerns, however, it is essential that the reader appreciate the 
precise constraints on the model of authentication used here. One of the simpli- 
fying assumptions made is that the transmitter and receiver act with common purpose, 
i.e., that they trust each other completely and that neither acts (either alone or 
in collaboration with an opponent) to deceive the other. In general, especially in 
commercial applications, this is an unrealistic assumption, since in practice the 
transmitter may wish to disavow messages (authentic) that he originated, or the 
receiver may wish to falsely attribute messages to the transmitter — or even dis- 
claim having received an authentic message actually sent by the transmitter (and 
received by him). These questions get into areas of digital signatures, notariza- 
tion, dating, certification (in the sense of certified mail), etc., which, while 
closely related to authentication, are primarily questions of systems protocol in 
which message authentication plays an essential part. He also assume (here) that 
only the receiver need be convinced of the authenticity of a message — as opposed 
to either the transmitter or receiver having to convince a third party (arbiter). 
In addition, as already mentioned we assume that all successful deceptions of the 
receiver are of equal value to the opponent, i.e., that his objective is purely to 
misinform the receiver about the state of the source — not to cause him to conclude 
that it is in any particular state. Even though the most interesting applications 
of digital message authentication made thus far [3, 1 *] have been In situations In 
which the opponent knew the state of the source (message authentication without 
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secrecy) we shall mostly be concerned with message authentication in situations in 
which the opponent is ignorant of the information being communicated to the receiver 
by the transmitter. Subject to these constraints, we now describe the general 
authentication system model. 

There is a source (set) S with a probability distribution S on its elements for 
which the binary entropy is H(S). H(S) is the average amount of information about 
the source communicated to the receiver by the transmitter in each message. There 
is also a message space In consisting of all of the possible messages that the trans- 
mitter can send to the receiver. Since an unstated assumption is that the transmit 
ter can communicate to the receiver any observation he makes of the source, Z |g| 
where |g| is interpreted to be the cardinality of states of S that have nonzero 
probability of occurrence. It should be obvious that authentication depends on the 
set of messages that the receiver may receive being partitioned into two nonempty 
parts: a collection of messages that the receiver will accept as authentic and 
another collection that he will reject as inauthentic. If » |g|, all messages 
would have to be acceptable to the receiver, hence no authentication would be 
possible in this case. Therefore, |IT)| > |g| and as we shall see later the even 
stronger inequality H(M) > H(S) holds as well. Figure 1 schematically shows the 
essential features of what has been described thus far 




Figure 1. 



Any message in the shaded region of to would be rejected by the receiver, while any 
message in the 3et would be accepted as authentic. Figure 1 also Illustrates 
that it is possible for the opponent to fall to deceive the receiver, even though he 
succeeds in getting him to accept a message that was not sent by the transmitter. 
Assume that the state of the source is s 2 and that the transmitter chooses to encode 
this information by sending message m to the receiver. If the opponent — not 
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knowing the information shown in Figure 1 of course — intercepts the message and 
replaces it with m^, the receiver would accept as being authentic since it is one 
of the messages that the transmitter might have sent, even though it was not the 
message actually sent in this case. However the receiver would interpret to mean 
that the source state was s 2 — as observed by the transmitter. The opponent would 
lose in this case, in spite of the fact that he succeeded in having the receiver 
accept a fraudulent message, 3ince the receiver i3 not misinformed as to the state 
of the source. 

There is a well known precept in cryptography, known as Kerckhoff's principle, 
that the opponent knows the system, i.e, the information contained in Figure 1. It 
is equally reasonable to assume the same for authentication. Consequently there 
would be no authentication possible for the receiver using the scheme shown in 
Figure 1 alone. What is done instead is to have many such encoding rules in an 
authentication system — all of which are known to the opponent — with the choice 
of the particular encoding rule in use being known only to the transmitter and 
receiver, similar in many respects to the "key" known only to the transmitter and 
receiver in a cryptosystem. Figure 2 suggests the general scheme: 




Each encoding rule, e^ , determines a proper subset » i of ft, ( M^^ f i |S|, and a 
mapping — perhaps one to many — of S onto . The inverse mapping D is a well 
defined function, i.e., for any e e. i and m e , the function D(e,m) defines a 
unique state in S U 4>, where $ is the null set. 

Even this very intuitive description of authentication should make clear the 
reason for describing authentication as a problem in "spreading" messages in tft. If 
m^ is an acceptable message only in set H , then the opponent, knowing the system, 
would be able to conclude that e 1 was the coding rule being used if he saw m. in the 
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channel and would then be able to substitute another message with certainty of 
deceiving the receiver. To avoid this it is necessary that each message occur in 
sufficiently many authenticating sets to (ideally) leave the opponent no more able 
to "guess" at an acceptable message after he has observed what the transmitter sent 
than he could have before the observation. This ideal can be achieved in infinitely 
many perfect authentication systems [5,6]. 



THE "GAME" MODEL OF AUTHENTICATION 

A concise representation of the authentication system depicted in Figure 2 is 
possible in the form of an |£| x |!tl| matrix, A, where 6 is the set of encoding 
rules. The row3 of A are indexed by encoding rules and the columns by messages. 
The entry in aCe^m^) is the element of S encoded by rule e^^ into message nij if such 
a source mapping exists under e^^ and 0 otherwise. Every element of S appears in 
each row of A at least once and perhaps several times. We define an authentication 
system to be the triple (S, S, A). Earlier comments imply that each row and column 
contains at least one 0 entry. We now define another |£| x |ftt| matrix X, in which 



( 1 if a(e, ,m.) e S 
X(e.,mj) =■ \ 1 J 

I 0 otherwise 



For example, for | S| « 2, - 4, the "best" authentication system possible has: 
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It is now easy to see the relationship of the impersonation "game" to the matrix X. 
If nij is an acceptable (authentic) message to the receiver when encoding rule e^ has 
been agreed to by the transmitter and receiver then xte^) - 1 and the opponent has 
a probability of success of p - 1 if he communicates nij to the receiver. Con- 
versely, whenever x^.nij) - 0 he is certain the message will be rejected. It is 
certainly plausible — and in fact rigorously true — that the opponents probability 
of success in impersonating the transmitter is the value, v^, of the zero sum game 
whose payoff matrix is X. It Is possible to define a companion payoff matrix 1 for 
the substitution game, although it Is considerably more complex. The value of this 
game, v , is the probability that the opponent will be successful in deceiving the 
receiver through Intercepting a message sent by the transmitter and substituting one 
of his own devising. Given an authentication system the transmitter /receiver have 
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the freedom to choose among the encoding rules and if some state(s) of the source 
can be encoded into more than one message under some of the encoding rules, a choice 
of which messages to use, i.e., a splitting strategy. The opponent on the other 
hand can choose between impersonation and substitution with whatever probability 
distribution he wishes and then choose according to his optimal strategy which 
fraudulent message he will communicate to the receiver, either with no conditioning 
if he is impersonating the transmitter or else conditioned on the message he 
observed if he is substituting messages. Not surprisingly there exist authenti- 
cation systems in which the optimal strategy for the opponent is either pure imper- 
sonation, pure substitution, immaterial mixes of the two, or most interesting — 
essential mixing of both as well as examples in which splitting is essential in the 
transmitter /receiver 's optimal strategies. The point of these remarks is that we 
have shown in earlier papers that an opponent's overall probability of success in 
deceiving the receiver, P , is simply the value of the game whose payoff matrix is 
the concatenation of'X and Y, and hence that 

(2) P . - v > max(v T ,v J 

d G Is 

It is not germane to this paper to develop the payoff matrix Y, since (2) is the 
only result pertaining to the substitution game that we shall need later. 

With these preliminaries out of the way we survey the essential notation used 
in the authentication model. 



Name Set Element Variable 

Source i s { S 

Message Space IT> M 

Encoding Rules £ e k E 

Splitting Strategies n(m.|s.e v ) H 
Impersonation Strategy Q q, Q 



P(X - x) probability that the random variable X takes the value x, 
as for example P(M - m), P(S - s) or P(E *■ e) . 



Name Entropy 

Source Distribution H(S) 

Message Distribution H(M) 

Coding Strategy H(E) 



Joint (message coding strategy source) Distribution H(MES) 
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A encoding matrix 

X impersonation payoff matrix 

Y substitution payoff matrix 

XY concatenated authentication payoff matrix 

value of impersonation game on X (to opponent) 
v g value of substitution game or Y (to opponent) 

P d - v Q probability that opponent deceives the receiver: 

value of game on XY. 



|e H | • I x(e. ,m) number of nonzero entries in the e. row of 

1 meln 1 1 
either A or X. 



| m . J — J x(e,m.) number of nonzero entries in the m. column of 
J ee6 J J 

either A or X. 



THE AUTHENTICATION CHANNEL BOUND 

Our object In this paper is to derive channel bounds for the authentication 
channel. Several such bounds are easy. 



Theorem 1. 



(3) P d ' V G * 



Proof : 



minle. I 
e 1 



As has already been noted, the opponent has available a3 part of his strategy 
the choice of whether to impersonate the transmitter or to substitute messages, 
hence the value of the concatenated game is at least as large as the value of either 
game alone. We actually prove that for the Impersonation game: 

min|e. | 

v i * • 



The payoff matrix for A is the |aj x |tn| (0,1) matrix X in which xU.J) - 1 if some 
state of S is encoded into m^ by the encoding rule e i , and 0 otherwise. If the 
transmitter/receiver are playing an optimal strategy E (probability that encoding 
rule e^ is played is P(E » e^ ) and the opponent is impersonating the transmitter 
with an optimal strategy Q (probability that he sends m^ is q j ) then the expected 
value to the opponent of impersonating with message m^ is 
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r , - I P(E - e)x(e,m ) 
J ee£ J 

and his expected payoff from playing strategy Q is simply the value of the game 

Vj - I (q(m) I P(E - e) x (e,m)j . 
melu ee£ 

Since is the value of the game for the opponent, realized playing an optimal 
strategy Q, it is at least as large as the value realized by hi3 playing any other 
strategy — in particular, the uniform probability distribution of to. Therefore, 

- I (q(m) I P(E - e)x(e.m)) i I — £ P(E - e) x (e,m)) 
mem eeg mem |to| ece 

CO 

- — I P(E - e) I x(e,m) = — I |e|P(E = e) . 
|to| ece mem |to| eee 

The inequality is only weakened by replacing |e| by min|e| . Therefore, 

e 

min | e| 
t 

v > v > 

G I 



|to| 



as was to be shown . J 



Corollary: 



Since min|e| i |g| 



(5) P d = v Q > 



Theorem 2. 



to! 



Given an authentication system (S, S, A) for which 



mm | e | 

(6) v„ 6 



|m| 

in every optimal strategy, E, for the transmitter/receiver P(E = e) - 0 for any 

encoding rule for which |e| > min|e|. 

t 

Proof: 

As in the proof of Theorem 1 we use the fact that v„ i v T and actually prove 
the conditions of the theorem for the Impersonation game. From (4) we have 
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Vj - I q(m) I P(E - e)x(e,m) . 
meft ec£ 



Assume that there is some encoding rule, ey for which |ej| > min|e| and for which 
P(E - Cj) > 0. As noted before Q is an optimal strategy for the opponent and hence 

is at least as great an expectation for him as he could achieve using any other 
strategy — in particular the uniform probability distribution on ft. 



v i v(uniform) =■ £ -i— J P(E - e)x(e,m) 
meft |1H| eee 



lei min l e l 

- I P(E - e) I Jp( E . e )UL> 

est meltl | TTv ( eee |tn| |tn| 

if P(E - e) > 0 for any e e t for which |e| > min|e|. | 

e 

Corollary: 

If for an authentication system (S, S, A) 

l»l 

v - 

|tn| 

which by Theorem 1 can only happen if min|e| - |S|, then every optimal strategy for 
the transmitter /receiver , E, has P(E = e) - 0 for any encoding rule for which |e[ > 

1*1 - 

Another way of stating the conclusion of the Corollary is that if v G - j S| / j^ 1 j 
no splitting occurs in any encoding rule occurring in an optimal strategy! It is 
worth remarking that 

min | e | 
_t 

V °" N 

does not imply that splitting does not occur in any of the encoding rules that occur 
in £. What is true, by Theorem 2, is that in this case all of the encoding rules 
that occur (with positive probability) in an optimal strategy use the same number of 
messages . 

Several other channel capacity theorems of similar flavor can be proven, how- 
ever we now turn to our primary object in this paper; establishing bound3 on the 
authentication channel in terms of the various entropies on the primary variables. 
A trivial bound can be given in terms of H(E). Since H(E) is the total equivocation 
that the opponent has as to which encoding rule is being used by the transmitter/ 
receiver, and since he could deceive the receiver with certainty if he only knew the 
rule they had chosen, we have 
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(7) log P d - log v Q i -H(E) 

(7) isn't a particularly useful result since as we shall see later there is a much 
stronger bound in terms of H(E). The bound of the following theorem is the main 
result on which the theory of authentication is based. 

Theorem 3. (Authentication Channel Capacity) 

(8) log P d i H(MES) - H(E) - H(M) 
Proof: 

Let P(M - m) be the probability that message m will be observed in the channel 
when states of the source occur according to the probability distribution S and are 
encoded by the transmitter with an encoding rule chosen from t with probability 
distribution E, employing splitting strategies n. P(M » m) is formally 

(9) P(M - m) - I P(M - m, E - e, S - a) 

(e,s)e£xS 

or equivalently by 

(10) P(M - m) - I P(M ■ in, E » e, S ■ s) X (e,m) 

(e,s) e&xS 



where x( e ' m ~) 



1 if some state of the source can be 
encoded into m using encoding rule e 

. 0 otherwise 



The formal sum (10) has the same value as (9) since 

P(M = m, E - e, S = s) t 0 -<■ x(e,m) =■ 1 . 

The converse need not be true, i.e., x( e > m ) " 1 c an hold while P(M » m, E - e, 
S - s) - 0, either because some s', other than the s in P(H - m, E • e, S - s) is 
encoded into m by e, or else that the state occurring in P(M = m, E » e, S = s) 
could be encoded into m and some other mes3age(s) under m, but that the splitting 
rule used by the transmitter never uses m. x( e > m ) is ttle authentication function on 
ITi since the receiver will accept a message m when encoding rule e has been selected 
if and only if x(e,m) - 1- 

The joint probability P(M - m, E - e, S - s) can be represented as the product 
of the conditional probability that m will be sent given that state s occurred and 
that encoding rule e is being used n(m|e,s), times the independent probabilities 
that these events occur. 
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(11) P(H - m) - I P(E - e)x(e,m)P(S - s)n(m|e,s) . 

(e,s)e:£xg 

We now wish to restrict the domain from the Cartesian product C x S to only £ by 
using the inverse mapping to e; D(e,m), x(e. m ) was introduced in (2) to make this 
possible, 

(12) P(M - m) = J P(E « e) X (e,m)p(S - D(e,m) )ir(m| e,D(e,m) ) 

eee 

since 



x(e,m) ir(m|es) - 0 unless D(e,m) = s 



Define a probability distribution W(m) - {w e (m)J on e e & for every in e IH: 

(13) w (m) - P(E • e) X<«.-> 

6 I P(E - e*) x (e*,m) 

e*e£ 

w e (m) is well defined since every m e IU is acceptable to the receiver for at least 

one choice of an encoding rule. Also £ w (m)x(e,m) = 1. Multiplying the summand 

eee 

in (12) by 



I P(E = e*) x (e*,m) 
e»e& 

I P(E - e*)x(e*,m) 

we obtain 



(11) P(M « m) - I w (m){[ I P(E - e*) X (e*,m))p(s - D(e,m) )ir(m| e,D(e,m) ) } . 

ee£ eee 

We now wish to form -P(M - m) log P(M - m) on both sides of (It) as a first step to 
calculating the entropy H(H) of the messages observed in the channel. Formally, 



(15) 



-P(M - m)logP(M - m) 



I w (m){...} 
eee 



log 



I w (mH...} 



Noting that -x log x is concave downwards, we use Jensen's inequality — which says 
that if g(x) is a concave function on (a,b), and if (x.) are arbitrary real 
arguments, a < x i < b, then for any set of positive weights Wj^ where J ■ 1; 



g(Iw i x i ) i Iw^tx.) 
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to replace the equality in (15) with an inequality. 
Let x - {...} in (7): 

(16) -P(M - m)logP(M - m) i - I v (m) { . . . }log{ . . . } . 

eee 6 

By canceling the sum £ P(E - e)x(e,m) between the denominator of w (m) and { }, 

ee e 
and by splitting the logarithm of the product in {■■•} into the sum of three 

logarithms, we get 

-P(M - m)logP(M ■ a) J - [ P(E > e) x (e,m)p(s - D(e,m)ir(m)e, D(e,m)) 

eee 

(17) 



x log( I P(E - e) x (e,m)} + logP(s - D(e,m)) + logTt(m|e, D(e,m)] 
eefi 

Now, we make use of the game model for the authentication channel to bound (17) 
below. The value of the impersonation game, v^, is 

(18) v - max I P(E* - e)x(e.m) i I P(E - e)x(e.m) 

mett eeS eefi 

where E* i3 an optimal strategy for the transmitter/receiver and E is an arbitrary 
strategy. Inequality (18) is at worst weakened through replacing 

I P(E - e)x(e.a) 

in [...] with the maximum value it can have for any choice of m. Summing both sides 
of (18) over all me in, we get 

H(M) - - J P(H ■ m)logP(M - m) 

on the left and the expression in (19) on the right: 

H(M) i - I I p(E - e) x (e,ra)p(s - D(e,m) )it(m| e,D(e,m) ) 
mem eee 

(19) 

* [log v + logP(s - D(e,m)) + log ir(m|e, D(e,m))] . 

Since log v^. is a constant it can be moved through the double summation to give 

log v I I p(E - e)x(e,m)P(S - D(e,m) )ir(m| e,D(e,m) ) 
mslh ee£ 
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Using (12), the summand can be replaced by P(M - m) 

log v I PCM - m) - log v 
mctn 4 

so that (19) becomes 

H(M) > -log v - I I P(E - e) x (e,m)p(s - D(e,m)) 
mettl eEfi 

(20) 

» it(m|e,D(e,m) ) {logP(s = D(e,m)) + logir(m| e,D(e,m) ) } 
It has already been noted that 

x(e,m)ir(m|e,s) - 0 
unless D(e,m) - s, therefore (20) can be rewritten in the form 

H(M) 2 -log Vj-S I I P(E - e)P(S - s)ir(m|e,s) 



(21) 



ee£ seS ncttl 

D(e,m)=s 



x {logP(S - s) + log Tt(m|e,s)} 



- -log v - I J P(E ■ e)P(S - s)logP(S - s) 
set seS 

(22) 

- I I P(E = e)P(S - s) I it(m|e,s)logTr(m|e,s) 
eefiseS meltl 

D(e,m)»s 



£ it(m|e,s) - 1 
me m 
D(e,m)-s 

Moving the summation over g through P(E » e), we obtain 

(23) H(M) 2 -log v + I P(E - e)H(S) * I I P(E = e)P(S - s)H(M|ES) 

eeS eee seS 

(24) - -log Vj ♦ H(S) ♦ H(M|ES) . 
Using the entropy identity 
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H(A|B) = H(AB) - H(B) 

(16) becomes 

(25) log v i H(S) + H(MES) - H(ES) - H(M) . 
But 

H(ES) - H(E|S) + H(S) - H(E) + H(S) 
since E and S are Independent. Therefore 

log v 2 H(MES) - H(E) - H(M) . 

The conclusion of the theorem follows from the earlier result that 

P. - v i max(v T ,v ), so that 
flu Is 

(26) log P d = log v Q £ log v 2 H(MES) - H(E) - H(M) 

as was to be shown. | 

The hard work is now completed. A variety of useful equivalent expressions can 
be derived from (26) using simple identities from information theory, for the cases 
of authentication either with or without secrecy. We illustrate the technique in 
Theorem (4) for the case of authentication with secrecy: i.e., the opponent does 
not know the state of the source observed by the transmitter. This, of course, only 
matters when the opponent elects to substitute messages rather than to impersonate 
the transmitter. 

Theorem 4. 

H(MES) - H(E) - H(M) is equivalent to any of the following eight entropy 
expressions . 





X 


Equivalent 


Form 




(27) 


ES 


H(M|ES) + H(S) 


- H(M) 




(28) 
(29) 


MS | 


fH(E|MS) - H(E) 
or 

IH(E|MS) - H(E) 


+ H(MS) ■ 
+ H(S|M) 


- H(M) 


(30) 
(3D 


ME j 


[H(E|M) - H(E) 
or 

[H(M|E) - H(M) 






(32) 


S 


H(ME|S) + H(S) 


- H(E) - 


H(M) 


(33) 


E 


H(MS|E) - H(M) 






(34) 


M 


H(ESlM) - H(E) 
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Proof : 



The proof in each case proceeds by splitting the argument in the entropy H(MES) 
through conditioning the joint probability on X and then using simple identities to 
reduce the resulting expressions. The derivation of (27) is typical. 



as was to be shown, etc. | 

Using the results of Theorem 1 it is possible to derive some (generally) weaker 
but enlightening channel bound3. We first note that the total effective equivoca- 
tion to the opponent playing the substitution game but without knowledge of the 
source state, i.e., authentiction with secrecy is no greater than H(E|M) and a3 
remarked earlier, the opponent's total effective equivocation if he knows the source 
state, i.e., authentication without secrecy, is at most H(E|MS). 



H(MES) =■ H(M|ES) + H(ES) 



- H(M|ES) + H(E|S) + H(S) 



- H(M|ES) + H(E) + H(S) 



since E and S are independent random variables. Hence 



H(MES) - H(E) - H(M) - H(M|ES) + H(S) - H(M) 



Theorem 5. 



For authentication with secrecy 



(35) 



log v G i - | H(E) 



while for authentication without secrecy 



(36) 



log v G > - | {H(E) - H(MS) + H(M) } - - | [H(E) - H(S|M)} 



Proof: 



For authentication with secrecy 



(37) 



log v Q 2 min{log v I ,-H(E|M)} 



while for authentication without secrecy 



(38) 



log v Q £ minjlog v I ,-H(E|MS)} 
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In either (37) or (38) the bounds derived in Theorems 3 and 4 on the value of the 
impersonation game can be substituted, since the opponent's impersonation strategy 
is independent of whether he plays substitution with or without secrecy. Replacing 
the minimum on the right-hand side of the Inequality by the average of the two 
bracketed terms either weakens the inequality if the terms are not identical or 
leaves it unaffected if they are. Therefore for authentication with secrecy, 
replacing with the bound (30) in (37) we get 

log v G > I {H(E|M) - H(E) - H(E|M)} - - I H(E) 

and similarly by replacing v^. with the bounds (28) or (29) in (38) we get 

log v Q 2 j {H(E|MS) - H(E) + H(MS) - H(M) - H(,E|MS)} 

- - \ {H(E) - H(MS) + H(M) } 

or 

log v G 2 1 |H(E|MS) - H(E) + H(S|M) - H(E|MS)( 
- 1 (H(E) - H(S|M)} 

as was to be 3hown. | 



Corollary : 

(39) P . - v„ £ -1— 

d /TFT 

Proof : 

H(E) £ log|e| 



with equality if and only if the transmitter/receiver's optimal strategy E is the 
uniform probability distribution on £. The conclusion follows by substituting (39) 
into (35). I 

Bound (35) was first found by Gilbert, McWilliam3 and Sloan [7] under slightly 
more restrictive conditions and derived directly in the same generality used here by 
Simmons and Brickell in [6]. (35) is the bound based on H(E) promised earlier when 
the trivial bound in (7) was given. 
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FOR EXAMPLE 



In this section, in order to show the effects of secrecy on both the strategies 
of the participants and on the game values as well as to illustrate parameters such 
as splitting, etc., we discuss two snail examples. Earlier we described on authen- 
tication system for which |e| - |tn| - 4, |g| - 2 and for which the payoff matrix X 
was: 



110 0 
10 10 

(W) X " 0 1 0 1 

0 0 11 

X could also be the payoff matrix for many different authentication systems, one of 
which was exhibited before 



(Hi) 



A - 







0 


0 


s l 


3 2 








0 




0 


s l 




S 2 




0 




0 






S 2 




S l 


0 


0 


3 2 


3 1 



One other 3uch system is 



(42) 




In either case y - 1/2 with an optimal strategy for either player being the uniform 
probability strategy on row3 (transmitter) and on columns (opponent). If we con- 
sider only substitution with secrecy, then it makes no difference to the opponent 
whether the transmitter/receiver are using the authentication system (S, S, A) or 
(8, S, A*), since in either case when he sees a message he is faced with two possi- 
ble encoding rules and hence with a choice between two equilikely messages to sub- 
stitute — one of which will be accepted and are rejected. His probability of suc- 
cess in either case is 1/2, which is precisely what his chances of success in imper- 
sonating the transmitter would have been had he not waited to observe a message. 
Hence for authentication with secrecy P d - 1/2. The situation is different however 
for authentication without secrecy. In this case for the system (S, S, A) the same 
arguments given for the authentication with secrecy case hold and p d " v q " v j " v a 
- 1/2. For the system (S, S, A*) however, if the opponent waits to observe a 
message he will know with certainty which encoding rule the transmitter/receiver 
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have chosen and hence can substitute another message with certainty that not only 
will it be accepted as authentic by the receiver but that the receiver will be 
misinformed as a result. Therefore in this case 

P„ - v - v - 1 > v - i 

d G s 12 

Incidentally the system (8, S, A) is perfect and is also an instance in which 
equality holds in (39): 



We conclude by showing another example in which equality holds in (39) and in 
which, in addition, splitting is essential (for the transmitter/receiver) to hold 
the opponent to the game value - 1/V|g | . In order to have a concise description 
of (S, S, A) we introduce a notation for A. Hi is partitioned into disjoint parts — 
three in the example — and the elements in each part indexed. The encoding rules 
will be of a special type (Cartesian) that encode a state of the source only into 
the messages in a particular part. In the example |g| =3, |m | - 12 and \t | » 16. 
The partition of ITl is into 4, 4 and 8 elements, indexed 1, 2, 3, 4; 1, 2, 3, t and 
1, 2, 3, 4, 5, 6, 7, 8, respectively. The states of the source are assumed to be 
equi probable. 



3 1 


3 2 


3 3 


1 


1 


1,2 


1 


2 


3,* 


1 


3 


5,6 


1 


it 


7,8 


2 


1 


3,8 


2 


2 


1,7 


2 


3 


2,1 


2 


U 


5,6 


3 


1 


5,7 


3 


2 


2,6 


3 


3 


1,8 


5 


4 


3, t 


4 


1 


4,6 


4 


2 


5,8 


4 


3 


3,7 


4 


4 


1,2 



Encoding rule e^ says that source state 3^ will be encoded into message 1 of part 1, 
state 3g Into message 1 of part 2 and state into either message 1 or message 2 of 
part 3, etc. The unique optimal strategy, E, for the transmitter/receiver is the 
uniform probability distribution p(E = e^) -= 1/16 with uniform splitting; i.e., if 
e is being used and state s occurs, then a fair coin would be tossed to decide 
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whether message 1 or 2 of part 3 was to be sent, etc. Against strategies S and n, 
the value of the game is 

P _ T ._i_.i!L^.i 

d 0 m imi 12 4 

and the game is perfect. Although it isn't quite obvious, it is easy to show that 
it doesn't natter to the opponent whether he chooses to impersonate the transmitter 
or to wait and observe a message and then substitute another message; in either case 
if he plays optimally his chance of success will be 1/4. Note that in this example 
while the opponent is faced with two bits of equivocation irrespective of whether he 
impersonates or substitutes, i.e., v j " v 3 " tnat tne equivocation about the 

source state is only log 2 3 - 1.585 bits, or P(S - s) - 1/3 for any s c S. Thus 
while the opponent could guess the state of the source with a probability of success 
of 1/3 he could only guess at a message to communicate a state with probability 1/4. 
If one considers what the channel bound theorem says, this is no paradox and P^ can 
be made as small as desired, even for a one-bit source in which P(S = s) - 1/2. 
This example, incidentally, is one of the smallest illustrating an infinite class of 
perfect authentication systems [5] with essential splitting. 

CONCLUSION 

In this paper we have proven that the bounds on the authentication channel are 
precisely what one would intuitively expect (and hope for), namely that the dif- 
ference between the amount of information transmitted through the channel and that 
needed by the receiver to resolve his equivocation about the source state can be 
used to authenticate the message, and conversely that no better result can be 
achieved. We also exhibited small examples demonstrating that it is possible to use 
all of this residual information to confound the opponent, i.e., that the channel 
bounds are sharp. 
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ABSTRACT 

As the use of computers becomes more pervasive, they are capturing increasingly more 
revealing data about our habits, lifestyles, values, whereabouts, associations, political and 
religious orientation, etc. The current approach, which requires individuals to identify themselves 
in relationships with organizations, allows records of all an individual's relationships to be linked 
and collected together into a dossier or personal profile. Even though such profiles are too 
extensive to evaluate manually on a mass basis, automated evaluation is becoming increasingly 
feasible. 

A new approach prevents linking of such data, by allowing individuals to conduct 
relationships under different account numbers or "digital pseudonyms." The pseudonyms are 
created by a physical random process within a credit-card-sized computer carried by the 
individual. The card has no secrets from the individual or structure unmodifiable by the 
individual; it is merely a computer that acts on the individual's behalf and provides a convenient 
interface. 

New cryptographic protocols provide security for both individuals and organizations 
against abuses by the other. A comprehensive set of three types of consumer transactions can be 
conducted, each using a different protocol. A communication protocol allows individuals to send 
and receive confidential and authenticated messages under pseudonyms. But even the tapping of 
all communication channels and the cooperation of all organizations does not allow messages to 
be traced to an individual- A payments system protocol allows an individual to pay or be paid, 
using an account maintained under a pseudonym with a bank. But even cooperation between the 
bank and other parties to payments does not allow payments to be traced to the individual's 
account. A credentials protocol allows digitally signed credential statements issued to an 
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individual under one pseudonym to be transformed into statements that can be shown on the 
individual's other pseudonyms. But the credentials shown to one organization do not allow 
tracing of the pseudonyms used with other organizations. All three protocols can be shown by 
simple mathematical proof to be unconditionally un-traceable, .i.e. untraceable no matter how 
much computation is expended by tracing efforts. 

This new approach may actually provide better protection against abuse by individuals, 
even in areas like consumer credit, social welfare, insurance, etc. than could be acceptably 
obtained under the current approach. Organizations may favor the new paradigm also because of 
reduced costs, reduced data maintenance and related exposure, and because of the opportunities 
for improved good will with advanced computerization. For individuals, the new paradigm offers 
greater convenience because they can select the card computer that suits them best, the full 
capabilities of a lost card can conveniently be restored into a replacement card, and the card can 
protect itself against use by anyone other than its owner. As the public becomes more aware of 
and familiar with the extent and possibilities of emerging information technology, appreciation of 
these advantages may grow. Of course an essential advantage of the new approach to individuals 
is the potential it offers them for regaining monitorability and control over the maintenance and 
use of information about themselves by others. 
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Abstract 

We consider two problems which arose in the context of "The Exchange of Secret Keys" (see [1]). 

(1) . In the original protocol, one party may halt the exchange and have a 2 to 1 expected time 
advantage in computing the other party's secret. To solve this problem, when there is a particular 
point in the exchange where this time advantage may be critical, we presented at CRYPTO 83 
(see [5]), a method for exchanging "fractions* of a single bit. 

In this paper we extend the method so as to apply it to all bits to be exchanged, and show how it 
can be used in a more abstract setting (as in [2]). 

(2) . We also present a solution to the problem of how to ensure a fair exchange of secrets when 
one party in the exchange is "risk seeking", while the other is "risk-adverse". 

Notation: 

We use " to signify exponentiation, i.e. 2"k represents 2 raised to the kth power. 
Introduction: 

The following scenario occurs in both [1] and [2|. 
There are 2 parties A (Alice) and B (Bob). 
Alice holds n pairs of m bit long secrets 

< a(l,l), a(l,2) >, < a(2,l), a(2,2) >, ... , < a(n,l), a(n,2) > 

Bob knows exactly one secret from each pair, while Alice does not know which one he knows (this 
condition can be achieved using an "oblivious transfer" protocol as in [2| and [4]). 

Similarly Bob has n pairs of secrets denoted 

< b(l,l), b(l,2) > < b(n,l), b(n,2) > 

Alice knows exactly one secret from each pair, etc. 

Each party is eager to know both elements of any pair of his counterpart's secrets. In Blum's 
"Exchange of Secret Keys" 6uch knowledge allows one to factor (i.e. obtain the secret key of an 
RSA/Rabin or Goldwasser/Micali public key crypto-system). In the Even/Goldreich/Lempel 
"Randomized Protocol for Signing Contracts" knowledge of a pair constitutes having a signature 
to the contract. 

We assume that computing a secret can only be done by an exhaustive search of the secret space 
(the set of m-bit long strings). 
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Both Blum and Even/Goldreich/Lempel apply the following protocol, in order to reach con- 
current knowledge of one pair of secrets: 

For k=l to m do 

(1) . Alice sends the kth bit of each a(i,j) 

(2) . Bob sends the kth bit of each b(i,j) 

Note that in order to prevent the counterpart from getting any pair of secrets, a dishonest party 
must send incorrect bits for at least one element in each pair. But the chance of getting away 
with this is l/2"n. 

If both parties follow the protocol properly each can compute a complete pair of their 
counterpart's secrets in about the same amount of time. However some problems arise which we 
discuss in the following sections. 

First Problem: 

If Bob halts the protocol after Alice sends the kth bits of her secrets then Bob has a 2 to 1 com- 
putational advantage. He needs only search through a subset of 2*(m-k) possible secrets to com- 
pute a pair, while Alice needs search a subset of size 2"(m+ 1-k) (twice as large). 

In [5| we discussed several methods of exchanging fractions of a bit when there is a key bit that is 
crucial. Micali/Luby/Rackoff have also written a very nice paper on exchanging a secret bit using 
a different approach (see[3]). 

We here extend one of the methods in [5] so as to carry it out throughout the exchange, keeping 
Bob's computational advantage at any point below a predetermined amount. 

The method (an example) 

We first illustrate the method by giving an example. 

Bob and Alice agree that the maximum computational advantage will be 5 to 4 (instead of 2 to 1 

as in the original protocol). 

For each a(i,j), Alice stores the strings 

000 

001 

010 * 

011 

100 

101 

110 

111 

Exactly one of these strings corresponds correctly to the first three bits of a(i,j), say 010 (marked 
with a * for reference). 

Bob acts similarly. 

Now a series of exchanges takes place. 

For each a(i,j) Alice sends the message: 

the next three bits of a(i,j) are not xyz (say not 101 for example). 
Bob responds similarly. 

Note that after Alice sends her messages Bob has first an 8 to 7, then a 7 to 6, then a 6 to 5, then 
a 5 to 4 edge (in the ratio between the size of the secret space Alice has to search and the space 
Bob has to search). 
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When only half the original strings remain, say for example 

001 

010 * 

110 

111 

8 new strings (for each a(i,j) etc.) are created by adding 0 or 1 to the old strings. We get: 

0010 

0011 

0100 

0101 • 

1100 

1101 

1110 

1111 

Note again that exactly one of these strings corresponds to the correct first 4 bits of a(i,j). 

The exchange then takes place again until 4 strings remain (for each a(i,j)), 8 new strings are 
created, etc. 

Note that the maximum computational advantage for Bob is 5 to 4. 

Note that the chance of getting caught cheating by sending incorrect strings is exactly the same 
as in the original protocol: each time incorrect information is sent the chance of being detected is 

50%. 

A more formal description of the method: 

(1) . Decide on an acceptable integer k, where the maximum computational advantage will be 
(2*k)+ 1 to 2'k. 

(2) . For each a(i j) and b(i,j) store the 2*(k+ 1) strings of length k+ 1. 

(3) . Repeat until done: 

For x=l to 2'k do: 

Alice sends a string, for each a(i,j) 

Bob sends a string, for each b(i,j) 
End {For} 

Alice and Bob create 2"(k+ 1) strings, for each a(i,j) and b(i,j), by adding 0 or 1 to the 2"k 
unsent strings. 
End {Repeat} 
Time/space complexity of the method: 

With k chosen as above, there are o(n*(2"k)) strings of length <= m to be stored. So memory 
needed is o(n*m*(2~k)). 

Time needed is o(n*(m"2)*(2"k)). We present later a slightly more complicated version of the 
method which may require an additional log(m) factor. 

Suggested modification of "The Exchange of Secret Keys" 

Shamir/Goldreich have announced a method for breaking the original exchange of secret keys 
protocol. We suggest that the protocol should be modifed in two ways: 

(1). In the original protocol a(i,l) and a(i,2) are distinct square roots of some quadratic residue Xi 
modulo Alice's public key, where Bob chooses Xi. We suggest that Alice should choose Xi at ran- 
dom and send Bob a root via oblivious transfer (see [4]). 
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(2). In the original protocol Alice sends the bits of a(i,j) in order, first, second, third ... . Instead 
the location of the next bit to be sent should be chosen randomly from the unused locations. The 
method described above for sending less than a bit fits well into this type of scheme and will be 
described briefly by means of an example. 

The method modified to be more random looking: 

Suppose we set a 5 to 4 advantage limit. 

For each a(i,j) we create 8 strings (say the bit length m=20). First choose a random location, say 
5. Create 2 strings 

0 

1 

Note that exactly one of these strings corresponds correctly to the bits of a(i,j). 

For each string create 2 new strings by choosing a random location and filling it with 0 or 1. 



0 0 

0 1 

1 0 

1 1 



Note again that exactly one string corresponds to the real a(i,j). 
Repeat the above process for each of the 4 strings: 

0--0 0 

0--1 0 

0 1 0- 

0 --- 1--- 1- 

1 0 0--- 

1 0 1--- 

1 1-0 

1 1-1 

Again note that exactly one of these strings corresponds correctly to a(ij). 

As in the first version, half the strings are exchanged. Then 8 new strings are created using the 4 
remaining strings. For example if the remaining 4 strings were: 

0-- 1 0 

0 1--- 1- 

1 0 0 

1 0 1--- 

we would create 8 new strings by choosing a random location in each old string and filling it with 
0 or 1, getting say: 

0-- 1 0 0 

0-- 1 0 1 

0 0 1 1 - 

0 1 1 1- 

1-0---0 0--- 

1 - 1 . . . o 0--- 

1 00 1--- 

1 0 1 1 
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And so on. At each step exactly one string corresponds correctly to a(i,j). 
Risk seeking vs. Risk Adverse 

We showed that the expected time for computing a secret can be made reasonably equal for both 
parties. However this may not be enough to discourage "risk-seeking" parties which may try to 
exploit the fact that the variance is large. 

Let Ta and Tb be random variables representing the time Alice and Bob need to compute each 
other's secret. We assume Ta and Tb have identical uniform distributions on some interval 1 to 
K. Neglecting insignificant terms (as we will throughout this analysis) we get E(Ta)= K/2. 

Let Y=Ta-Tb. Then E(|Y|)= K/3. So there is a good chance that if Bob halts the protocol at a 
certain point, he will discover Alice's secret well before she discovers his. 

Note E(Y*2)= (K"2)/6, or E(Y - 2)= 1.5*(E(Ta))"2 

One solution to this problem is to modify the nature of the secret. We take a large number, say 
X, old secrets. The new secret is defined to be knowledge of all X old secrets (there are interest- 
ing crypto-systems based on using a large number of keys, see [6], so this idea is not far fetched). 
Note that Ta is now the sum of X uniformly distributed random variables. If Y=Ta-Tb as before, 
we find that E(Y"2)= (1.5*(E(Ta))"2)/X as opposed to 1.5*(E(Ta))"2 in the previous case. So the 
squared distance Ta-Tb is reduced by a factor of X. So the expected distance between Ta and Tb 
can be reduced to any level desired. 

This is somewhat analagous to flipping a silver dollar as opposed to flipping 100 pennies ... If 
Alice gets the heads and Bob gets the tails then in each case they expect to get 50 cents, but in 
the first case the variance is larger. 

Overall costs are multiplied by a factor of X if this method is used. 
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ABSTRACT 

Investigating the capabilities of public key and related cryptographic techniques 
has recently become an important area of cryptographic research. In this paper we 
present some new algorithms and cryptographic protocols (Cryptoprotocols) which 
enlarge the range of applications of public key systems and enable us to perform 
certain transactions in communication networks. The basic cryptographic tools used 
are Rabin's Oblivious Transfer Protocol and an algorithm we developed for Number 
Embedding which is provably hard to invert. 

We introduce the protocol Subscription to a Public Key, which gives a way to 
transfer keys over insecure communication channels and has useful applications to 
cryptosystems. We develop the Secret Blocking Protocol, specified as follows : 'A 
transfers a secret to B, B can block the message. If B does not block it, there is a 
probability P that he might get it. (1/2 <P < 1, where we can control the size 
of P). A does not know if the message was blocked (but he can find out later)'. 

The classic cryptotransaction is the Mental Poker Game. A cryptographically 
secure solution to the Multi Player Mental Poker Game is given. The approach 
used in constructing the solution provides a general methodology of provable and 
modular Protocol Composition 
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1. INTRODUCTION 

Complexity-baaed cryptography has two major areas of application: Public Key 
Cryptoayatems [7] [15], to provide secure and authenticated communication, and 
Cryptographic Transactions, Cryptotranaactiona for short, to enable simulation of 
certain activities in communication [4] [6] [17]. These activities, while easily done 
face to face seem impossible to perform through the use of a communication 
network. 

In this paper we present some new Cryptoprotocols to be used both for increasing 
security and flexibility of Public-Key Cryptosystems and as tools for implementing 
Cryptotransactions. The security of these protocols is based on the intractability of 
the factorization problem. The basic cryptographic tools used are Rabin's Oblivious 
Tranafer Protocol and an algorithm for number embedding which is provably hard 
to invert. The results reported here were motivated by Blum's paper [4] and are 
based on [19]. 

We introduce the protocol Subacription to a Public Key, used for transferring 
keys over insecure communication channels and which has useful applications for 
cryptosystems. We then develop the Secret Blocking Protocol, specified as follows : 
"A transfers a secret to B. B can block the message. If B does not block the 
message he gets it with probability = P, where 1/2 <P < 1, and we can control 
the size of P. A does not know if the message was blocked, but he can find out 
later". 

The classic cryptotransaction is the Mental Poker Game The problem, proposed 
by Robert Floyd, is: 'Is it possible to play a fair poker game over the telephone V 
Shamir, Rivest and Adleman [17] proved that from an information theoretic point of 
view it is impossible to play the game. They showed, however that from a 
complexity theoretic point of view, the game can be played, using the one way 
commutative modular exponentiation function. Although their protocol is elegant 
and the number of players is unlimited, Lipton [10] showed that one can easily 
mark some subsets of cards using it. We present a cryptographically secure 
solution to the Multi Player Mental Poker Game. Different solutions to the Two 
Player Mental Poker Game have recently been obtained independently by Blum [5], 
and by Goldwasser and Micali [8]. Their solutions include a protocol for Two Player 
Card Dealing. 

The approach used in constructing the solution gives a general methodology of 
provable and modular Protocol Compoaition 



441 



2. Number Theoretic and Cryptographic Background 

2.1. NUMBER THEORETIC ALGORITHMS AND PUBLIC KEY SYSTEMS 

The main assumption is: FACTORIZATION of a number n=p q, where p and q 
are large (say 100-digit) prime numbers is HARD to solve. On the other hand, 
some number theoretic algorithms that we use are EASY (random polynomial time). 
These include the primahty test, [18] {9], prime generation and root extraction of 
x 2 (modn) given the factors of n [12]. (For a survey of number theory and number 
theoretic algorithms see [11] [9] [1].) In the protocols presented in this paper, we 
need an underlying public key system in order to transmit encoded and signed 
messages and to hide information using one way functions. Either the RSA system 

[15], the Rabin system [12], or the Blum-Goldwasser system [3] can be used. (If 
we use RSA we add the assumption that RSA breaking is HARD) 

2.2. RABIN'S OBLrVIOUS TRANSFER PROTOCOL 

Rabin found a way to send a secret obliviously, that is, the sender A does not 
know if the secret is successfully transmitted to B, the probability of success is 1/2. 

Protocol 1 -THE OBLIVIOUS TRANSFER: 

step 1 : A creates a number n =p q. (The prime factorization of n is the secret.) 
step 2 : A~>B : " n". (-> means 'sends to'.) 

step S : B selects a random x and computes z = x 2 (mod n). B->A : " z". 
step 4 •' A, knowing the factorization of n, computes the 4 square roots of z = 
{ x,-x,y,-y}. He selects at random one of them, calls it s and A— >B:" s" 
step 5 : If B receives y or -y he gets the secret, if he receives x or -x he does not. 
end {protocol 1} 

Theorem 1: Given x,y£Z n ' (that is x,y<n and do not divide n), x j*=y 

(mod n), -x fi=y (mod n) and x 2 =y 2 (mod n), there is an EASY algorithm 

for factoring n. 

Based on the previous theorem we can prove the properties of the above protocol: 

Theorem 2: Using the oblivious transfer protocol, B can factor n (get 
the secret) with a probability (virtually) equal to 1/2. A can not know if 
he transferred the secret successfully. 

2.3. ONE WAY NUMBER EMBEDDING 

Number embedding is an algorithm which gets a number M as input and 
distributes it into some pieces of information EM(M) which hide M. Giving EM(M) 
does not compromise M because in order to recover the number from the available 
hiding information one has to solve a HARD problem. EM(M) can be recovered to 
one and only one number: M. In [4] Blum gave such an algorithm. Here we use 
polynomial interpolation to design a number embedding algorithm that is provably 
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HARD to recover. 

Algorithm 2 - EMBEDDING USING INTERPOLATION . 
step 1: Choose K (say K=10) random 100-digit prime numbers p ; , i=l,..,10. 
step 2: Choose 10 random 99-digit prime numbers qj, i=l,..,10. 
step 3: Construct a polynomial of degree 10: P (mod R), where R is a large prime 
(R>Pi,qi i=l,..,10), by using the 11 interpolation points : (p^l;) i=l, -,10, and 
(0,M). 

step 4: Compute n—p; q; (n; hides interpolation point i). The embedding of M is 
the sequence consisting of: R (the modulus), the numbers n„ i=l,..,10, and a point 
(u,v) such that v=P(u), where u is a random number different from 0 and the Pj's. 
end {algorithm 2} 

The Result of the Algorithm: 
Given EM(M), one has to factor the 10 n;'s to recover the unknown 
M. Factorization of any 9 of them does not help (see [16]). Given M t j^Mj, we 
can embed both using the same nj's; only the additional random point (u,v) is 
different. Therefore we can prepare all the n^s before the communication. EM is 
a one way one to many random operator. Using the fact that generation of 
numbers of the form n=p q is easy, and the random polynomial algorithm [2] (13] 
for finding roots of polynomials over GF(R) we can show that recovering of M is 
polynomially equivalent to factorization. The reduction to factorization is given in 
the following theorem: 

Theorem 3: If we can easily recover M from EM(M) (even in e of the 
times) we can easily factor numbers of the form n=p q. 
Now consider the oblivious transfer protocol. If we want A to be able to check 
whether or not he gave B the secret then we use Oblivious Transfer With Receipt. 
When B sends z = x 2 (mod n) he also sends EM(x) which is the receipt which 
hides x unambiguously. The receipt also makes it possible to check that z was 
created by squaring an x£Z n * and is not a 'special quadratic', a quadratic such that 
knowledge of any of its roots enables factorization. It was suggested in [14] 
overcoming this problem by sending K quadratics in step 3 from which B chooses 
K-l at random and asks A to send their roots first and then the protocol goes on 
with the remaining quadratic. 

3. SUBSCRIPTION TO A PUBLIC-KEY 

The problem is: A has a public-key E =(n,e), based on n=p q (RSA [15], Rabin 
[12] or Blum-Goldwasser [3]). A wants B to subscribe to the key, namely to get 

the decryption key D=(n,d). To solve this problem without compromising the key, 

A and B use the .following cryptotransaction: 
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Protocol 3 - SUBSCRIPTION TO A KEY 
step 1 : A publicizes E. 
step 2 : 

a. B chooses K random numbers (say K=10): x 1( ...., x I0 . 

b. B checks: if gcd(Xj,n) is not trivial for some X;, then STOP. (B got the key, the 
chance for this is virtually zero.) 

Otherwise B computes z { = x s 2 (mod n), i=l,..10. B->A : "z- v i=l,.,10". 
step S : 

a. A, knowing the factorization of n, computes the 4 square roots of z i = 
{ *v " x i. 7i. -7i }■ i=l, ,10. 

b. A uses procedure SELECT to choose one of the roots, and calls it Sj (the 
SELECT process makes sure that if z i is sent twice then the same S; is chosen). 

c. A->B : "s,, i=l, ,10". 
end {protocol 3} 

Theorem 4: The protocol "Subscription to a Public-Key" ensures: 

1. B gets the decryption key with probability at least 1-(1/ 2 10 ). 

2. An eavesdropper cannot get information from the .protocol which helps 
him factor n. 

The above protocol has several applications to cryptosystems (e.g. distribution of a 
group key). 

4. ABSTRACTION OF THE "MENTAL POKER GAME" 

4.1. SPECIFICATION OF THE GAME 

For A and B to play a fair "Mental Poker Game" we need the following 

protocols: 

1. A protocol for Dealing Cards. The security and verifiability specifications 
contain some antagonistic requirements which make the problem interesting. 

2. Protocols for other game steps: These include discarding cards from one's hand, 
opening a card, etc. in a secure and checkable way. 

3 A Protocol for the Game Management which links all the game steps together 
into a complete game. 

4.2. DEFINITION OF CARD SETS 

We define sets which are changed dynamically during the game. 
ALL - the set of all the cards which is the universal (ordered) set: {1,2,3,. ,52}. 
AHAND (BHAND ) - cards which are currently in the hand of A (B). 
AUSED (BUSED ) - cards which were thrown from the hand of A (B). 
AS AW = AHAND U AUSED , BSAW = BHAND U BUSED , 
SAW = ASAW U BSAW . 

AOPEN { BOPEN ) { TOPEN } - cards opened by A (by B) {to the table}. 
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OPEN = AOPEN U BOPEN U TOPEN . 

DECK = ALL - {SAW U OPEN } - the cards currently in the deck. 

DECK A = DECK U BSAW - cards that according to A's partial knowledge can 

still be in the deck. 

DECK g — DECK U ASAW - possible deck according to B's partial knowledge. 

4.3. REPRESENTATION OF THE GAME 

The game is fully represented by the card sets, so we can look at the game as a 
Knowledge Set Transition System: The Interpretation of the game as a formal 
system helps us to design it and to prove its properties, using formal inference 
about user knowledge and card sets. 

States : States are positional vectors of sets which are subsets of ALL. 
A game-state : GS = {DECK, AHAND, BHAND, ASAW, BSAW, OPEN). 
A special state is the illegal state which is a dead state. 
The initial state is {ALL, 0, 0, 0, 0, 0 ) 

Knowledge : The player's partial knowledge of the game, at any moment of the 
game is also represented by a set vector. The set notation is augmented by the 
following: 1. ? - an unknown set. 2. ? i - an unknown set of size i, where the 
size is the only knowledge about it. A's Partial-Knowledge (PK) of the game is: 

- PK(A) = {? {DECK] , AHAND,? lBHAND{ , ASAW , ? ]BSAW \ , OPEN ) 

Transitions : The transitions are the game steps {Dealing, Discarding, Opening, 
Opening from DECK} Any illegal game step leads to the illegal state. 
Our proof technique uses assertions on knowledge and card sets, showing for 
example that the following are game-invariant: ASAW n BSAW =0, DECK fl 
SAW =0, 

ASAW D BSAW =0, DECK A fl DECK B =DECK and the fact that combining 
both players PK's gives the game state. 

5. An Algorithm for Dealing Cards 

5.1. FIRST APPROXIMATION OF THE DEALING PROTOCOL 

The general idea. When B draws cards from DECK, they are actually offered to 
him by A as follows: 

A knows DECK A = ( DECK U BSAW ) = ALL • { ASAW U OPEN }. 
Using this knowledge, A tries to transfer cards he has not yet seen without 
revealing which cards he is offering and without being able to know which cards 
are chosen by B. During the process of dealing B gets a card M € DECK, this 
card is a random card from the deck. When B gets the j cards he needs 

Mj, ,M- he is responsible for halting the dealing without trying to look at other 

cards in DECK Then B updates : BHAND := BHAND U {M„ .Mj}; 

BSAW ■— BSAW U BHAND 
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Protocol 4 THE DEALING OF CARDS PROTOCOL 

- step 1 : 

a. A chooses M v ,M 62 random 100-digit numbers to represent ALL 

b. A computes f(j4LL)=f(M 1 ),....,f(M 62 ), f- is A's one way function. 

c. A->B : " ([ALL) ". 

- step 2 : A tries to transfer cards from the / cards of DECK A . 

a. A embeds the cards in DECK A . 

b. Permutation choosing - (this sub-step is eliminated later, we need it 
just for the first approximation): 

- A chooses a random permutation of {1,..../}. P A , and hides it 
unambiguously in EM(..P A ..) 

- A->B:" EM(..P A ..) » 

- B chooses a random permutation P B , B->A : " P B 

- A computes P = (P B P A ). Let {1,.,/} be the order of DECK A derived 
from the order of ALL. P is a random permutation of it, and B does 
not know what P is. 



- step 8 : A sends cards to B: 

a. A~>B : " EM(M p(i) ), i= 1, / » 

b. Oblivious transfers : 

(The goal of this step is to let B factor the embeddings of cards. The 
permutation P, the probability of success of a single transfer and the 
merging of the transfers of the different cards, randomizes which cards 
are to be factored. This is Blum's idea for sending certified mail [4].) 
begin loop : 

for j= 1 to k { k is the size of each embedding } 
for i= 1 to / do : 

A single OBLIVIOUS TRANSFER with RECEIPT 
to enable factorization of n^yy) 
end loop. 

c. Getting a card : During the above transfer process B factors all 
EM(M) so he gets M, then he computes f(M) and he knows which card 
M represents. If M G BSAW nothing happened, else B adds M to his 
hand. 



- step 4 •' After B gets the number of cards he needs, he halts the 
protocol by 

B-->A :" stop, I got j cards ". 
end {protocol 4} 

The Remaining Problems 

1. It is possible that in step 4 player B must halt the process right after he took 

the last card he needed, and if he does not halt, he may see an extra card from 

DECK which he is not supposed to see. We will show a solution for this 'Halting 
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Problem'. 

2. A knows a priori the order in which the cards are offered. Even if we let B 
choose which nj he wants to try to factor in any order, there is still a bias. A 
knows at any moment (including the end of the dealing) the current probability 
with which any card is given, and different cards have different probabilities at 
least l-( l/l ) of the time. The solution to problem 1 will solve problem 2 as well. 

5.2. SECOND APPROXIMATION OF THE DEALING PROBLEM - THE SOLUTION TO THE 
'PROTOCOL HALTING PROBLEM': "THE SECRET BLOCKING" 
The purpose of this approximation is to explain the idea of 'The Secret Blocking'. 

The Solution to the Problems: 

- 1. A (symmetrically B) has a set of public keys : 
KEY A = REALKEY A U DUMMYKEY A 

REALKEY A is the set of keys for which A has both the encryption and 
the private decryption keys. For the dummy keys, A has only 
encryption keys and he can not decode messages encrypted by them. 
Half of the keys are real; half of them are dummy. (symmetrically 
KEY B has the same subsets.) We assume temporarily that KEYS are 
given to the parties before the game by a Judge who knows which keys 
are real and which keys are dummies. 

A (B) publishes all his encryption keys in a random order. B (A) can not 
know which keys are real, and which are dummies. We call these keys 
'root-transfer keys'. 

- 2. the oblivious transfers in step 3 of protocol 4 are as follows: 

a. Before A obliviously transfers a root, B— >A : " use my root-transfer 
key K; " and then 

A->B : " a root S; encrypted by this key 

b. At first B chooses a key at random from KEY B . If he chose a real 
key he may get the factorization with probability = 1/2, but if he chose 
a dummy key he gets information he can not decrypt. Hence the 
probability that B gets the factorization is 1/4. 

c. It is agreed that the halting of the protocol is at the end of the loop 
in step 3. After B gets all the cards he needs, he must continue the 
transfers until the end of the loop. For M. which he has not yet 
recovered, he chooses a random number from EM(Mj) not yet factored, 
and for its root transfer he chooses a random dummy-key. Doing so he 
ensures that he gets information he can not decode and still he can not 
tell what EM(Mj) hides. Because of the random choice of root-transfer 
keys during the whole process A has no idea which information was 
blocked like this by B. This is ''The Secret Blocking". The secret 
blocking also solves the second problem. What is actually done is : B 
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chooses a priori which embeddings of cards to try to take and which to 
block. Thus P (the random permutation of the offered cards) can be 
chosen by A alone. 

- 3. We have a Protocol for Open Replay of the Dealing which is used for 
verification. When the game is over the Judge uses the receipts to 
replay the dealing and verifies that: 

a. B got exactly the number of cards he needed, he got them from 
DECK, and he did not see any extra cards. 

b. A always used the encryption key E which B asked him to use, and 
did not try to check a key's status by sending some other random 
message. 

5.3. HOW TO ELIMINATE THE CENTRAL JUDGE: THE SOLUTION TO THE DEALING PROBLEM 

The Idea is as follows: 
1 A chooses KEY B for B. 

2. A publishes the chosen encryption keys. 

3. KEY B are distributed to B using a variant of "the subscription to a public-key 
protocol", using one root and receipts. As a result B gets a real-key (dummy-key) 
with probability = 1/2 (1/2). B takes keys until he has as many as he needs (say 
30) of each subset of keys. 

4. Symmetrically B chooses keys for A. 

5. The fact that B (A) knows the encryption and the decryption keys of all keys in 
KEY A (KEY B ), does not compromise the secret blocking. 

The Improvements to The Dealing Protocol are : 

1. In step 2 b the permutation (P) is chosen at random by A alone. 

2. In step 3.b B randomly chooses which card embeddings to try to take. He 
applies the secret blocking to embeddings he decides not to take. 

3. In step 3 b B halts the dealing and moves to step 4 at the end of the loop. 

As a result of the improvements the following theorem holds: 

Theorem 5: The "dealing of cards protocol" is correct according to its 

specification: 

a. If no player cheats, then when a player draws the cards, the following 
properties hold Fairness, Disjointness of Drawn Cards, Security, 
Verifiability. 

b. Any case of cheating is detectable. 



448 



6. THE COMPLETE GAME OF TWO PLAYER MENTAL-POKER 

We design a main protocol called The Game Manager which organizes the game 
and links the different steps and we design Protocols for other game steps as well. 
The game steps are: 

1. Discarding a card : A moves a card M from AHAND to AUSED in a secure 
and checkable way. 

2. Opening a card : A moves a card M from AHAND to AOPEN in a checkable 

way. 

3. Opening a card from DECK first, using protocol 4, A gives a card M to B 
then B opens M. 

It is easy to design these protocols since at the beginning of each of them a new 
random code of the abstract card sets is used. The order of ALL is the interface 
between steps and we can prove the following theorem: 

Theorem 6: The two player mental poker game is fair, secure, 

checkable and a direct simulation of the regular game (using cards) as was 

specified. 

7. GENERALIZATION: THE MULTI-PLAYER MENTAL POKER 

7.1. THE PROBLEM IN MULTI-PLAYER GAME 

In the two player game the cards are offered to B from the set DECK A = 
DECK U BSAW, and B adds the opened cards he did not previously see to his 
hand. The disjointness of the cards he takes and cards that have already been seen 
by A (at any given moment) is a consequence of the fact that the combining both 
players partial knowledge is the full knowledge of the game, and that DECK, 
ASAW and BSAW are mutually disjoint while their union is ALL. How can we 
guarantee, however, that B takes cards only from DECK and does not get any 
additional partial information, while DECKA 1 fl DECKB j= DECK in the 
generalized situation? We must somehow let all the players participate in the 
dealing and still keep the mutual privacy and security constraints. 
Assumption : All messages are sent to all players. This is a minimal assumption, 
because otherwise if even two out of the K players can communicate privately, they 
can make a coalition and get an advantage over the others just by knowing each 
others' hands. Also, in order to be able to replay the protocols, we assume that 
every message is acknowledged by all the players. 

The Changes : For each player j we define the following sets: HANDj, USED- and 
SAWj are respectively the cards in his hand, cards he already used and their union. 
During the game we keep 

{ SAW j n SAW { = 0 for i jt=j } and { SAW; fl DECK = 0 }. 

Suppose there are K players. Let B be the K-th player and A i , i=l,..,K-l all the 

others. We define 

DECKTOB =1^! fl {DECKj} = DECK U BSAW. This is the set that player B, 
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who is taking the cards, is allowed to see and to choose cards from. We call these 
cards Candidate Cards, because such a card is a candidate to be drawn by B, 
namely if a card MeDECKTOB - BSAW then M£DECK, and B can take it. 
The multi-person dealing protocol is a two-stage protocol: DECKTOB generation 
stage and Card drawing stage. These two stages are two coroutines, each of them 
has a current state and they run concurrently. 



7.2. THE SOLUTION : A PROTOCOL FOR MULTI-PLAYER DEALING OF CARDS 

Protocol 5 : MULTI-PLAYER DEALING 
(Aj, i=l,.,K-l deals cards to B=A k . They start at stage A.) 
current state of stage A is : "begin the stage in step 1". 
current state of stage B is : "begin the stage in step 6". 
Stage A: DECKTOB GENERATION 
The stage starts at its current state: 

step 1 : The K-l players choose a common random pernlutation of 1, ,52 : Q 

(B does not know what Q is). They embed Q unambiguously in EM(Q), and 
transfer it to B. (The communication between the k-l players can be done using a 
group key, see section 3.) 

step 2 : Every player A; chooses his own private current code of ALL : ALL' 
each Ai~> B : * QC^ALL')) "• 

(The players do not reveal the cards in the right order, but rather, a random 
permutation of them.) 

step S : For player A. let : DECK { = DECK U (U yi h \SAW$) 
=ALL - SAW { . Aj embeds each card M£DECK { in EM(M). 
step 4 ■' Each A; chooses a private random permutation Pj. 
Aj-> B ; " P i( EM ( DECKf)) " 

(The cards are offered in order P ; , Aj has to remember this order.) 
step 5 : Opening of cards : B tries to open cards using OBLIVIOUS TRANSFERS, 
alternately with Aj, i=l,., K-l. He makes iterations over the embedded cards as in 
the two player case. During this process B can get the following information : 
a. Factoring of a card embedding : B gets a card code M of some of the other 
players Aj. He can compute f;(M), but this gives him no idea what M is because 
he gets only the place of M in the permutation Q which is a random permutation 
and M is just a random number. 

6. Getting a candidate card : During the transfers B realizes that a card is offered 
to him by all the other players, (the same place in Q was revealed in all Q(ALL')). 
This card is either in DECK or in BSAW so it belongs to DECKTOB (it is a 
candidate card). Suppose B needs v cards and during the process he gets v random 
candidates. Then the players remember the current state of stage A and go to 
Stage B. 

end {Stage A} 
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Stage B : CARD TAKING 

(In this stage only B and one of the players (A,) are playing, but the others get 

and acknowledge all messages.) 

The stage starts at its current state: 

step 6 : Aj chooses a new code of ALL: ALL 1 . 

A t ~>B " T^ALL 1 ) " (This time without permuting the order.) 

step 7 : A embeds each M^DECKj in EM(M). 

A!->B: " ? X (FM{DECK $ ". ( He uses the same permutation P, he used in stage 

A, the permutation of DECK 1 is the interface between the two stages.) 

step 8 : B and Aj use iterations of OBLIVIOUS TRANSFERS in order to let B 

factor the embeddings. B knows which card in the permutation Pj is a candidate, 

using the SECRET BLOCKING he chooses to open only candidates. 

Taking a card : When B gets all the factors of the embedding of a candidate card, 

he recovers M and computes f,(M). If M£BSAW he takes it. If B gets all the 

cards he needs, he stops the process by B->A;: "stop, I got j cards". / If he has 

already seen some of the candidates, then the players return to stage A. 

end {Stage B} 

end {protocol 5} 

The reduction of the multi-player case to several two-player protocols implies the 
following: 

Theorem 7: The protocol for Multi-player Dealing of Cards simulates 
dealing of cards and has the specified properties of security, verifiability 
and fairness. 

8. CONCLUSIONS 

We presented cryptoprotocols which can be used with a public-key cryptosystem. 
The subscription to a public-key and the secret blocking protocols are cryptographic 
tools, augmenting the power of public-key systems. Developing these tools and their 
applications and solving the multi-player mental poker game extends our knowledge 
of the power of cryptographic techniques, the range of applications of these 
techniques, and the boundaries between the possible applications and the impossible 
ones. The study of these subjects is one of the main targets of recent 
cryptographic research. 

In designing the protocols, we used a methodology that can be used for designing 
and proving the correctness of long cryptoprotocols. We observe four main design 

stages: 

1. The axiomatic stage: We have two kinds of axioms: a. The underlying 
mathematics. b. The computational environment: rules of communication, user 
behavior, etc. 

2. The basic Cryptographic Techniques: Based on our axioms, we use or construct 
basic algorithms and cryptotransactions like the RSA system, Oblivious Transfer, 
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Number-Embedding. 

5. Top-Dotvn Design of the protocol: The problem at hand is divided into sub- 
problems (an analogous to modular design of a computer program). For every sub- 
problem we develop a cryptoprotocol using the basic tools of stage 2. We take 
care of the security and other specified properties of the sub-problems' protocols, at 
the same time ensuring the specified properties of the whole process. We use an 
inference system which includes "security logic" and "process logic". (In our case 
we prove formal assertions about card sets and users' information and we use the 
global order of the cards to concatenate steps.) 

4- The Process Protocol: After stage 3 the process is executed over the 
communication channels according to the rules of the original process. We also 
handle additional administrative communication which we ignored when we 
concentrated on the problem. 

This approach of divide and conquer (using the same or other system axioms and 
proof techniques) will undoubtedly be used in other complex and long 
cryptoprotocols that will be designed in the future. 
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1. INTRODUCTION 

The situation is quite serious. After four years of research, there has been no satisfactory way for a 
group of card sharks to play poker over the phone. Until now. In this paper, we present a new method 
for playing 'mental poker,' discuss its significance, and mention some of the further questions it raises. 
Ante up. 

The rules for mental poker are just like regular poker, except that players communicate over the phone, 
and there are no physical cards. The hard part of mental poker is dealing the cards. Hands must be 
random and disjoint, and players should not be able to claim to have any cards but those dealt (a sleeve 
will hold as many 'virtual cards' as angels will fit on the head of a pin). 

Playing mental poker is a difficult problem for a number of reasons. The foremost reason is that it is 
impossible, a result due to Shamir, Rivest and Adleman.' 11 Of course, this is an information-theoretic 
result, and the same reference presents a method for playing mental poker that relies on the difficulty of 
inverting certain cryptographic transformations. Unfortunately, a cryptographic flaw allows players to 
determine the color of each other's cards.' 2 ' This set the stage for a new implementation devised by 
Goldwasser and Micali, which was proven to hide all partial information (up to an explicit cryptographic 
assumption).' 3 ' Unfortunately, this implementation works only for two players, which is a very restricted 
kind of poker. Next, Barany and Furedi devised a protocol that permits three or more players to play 
poker,' 4 ' but only if players are not permitted to form coalitions. If two players conspire, they can learn 
the contents of everyone else's hands. The following section discusses this history of mental poker in 
more detail, outlining the key ideas, contributions and limitations of this earlier work. 

This paper presents a new way of playing mental poker. Unlike earlier solutions, it is secure against 
coalitions, permits any number of players, and uses inexpensive, highly secure cryptographic techniques. 
The protocol does require the participation of a trusted party to shuffle the cards. However, thereafter 
the trusted party does not participate in the protocol. The protocol can be easily adapted to play almost 
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all types of poker known to the authors. 

Of course, poker is a metaphor for any system in which users should have only partial information about 
the dynamic allocation of resources. Beyond this, the poker protocol presented here takes on a broader 
significance because of the simple tools used in its implementation. 

2. THE HISTORY OF MENTAL POKER 
2.1 A Protocol based on Commutativity 

To our knowledge, the first attempt to play mental poker was made by Niels Bohr during a skiing 
vacation near Oberaudorf in 1933. At Bohr's instigation, he, his son Christian, Felix Bloch, Carl 
Friedrich, and Werner Heisenberg attempted to play poker without cards, each player calling out the 
contents of his nonexistent hand. Heisenberg reports "The attempt was made, but did not lead to a 
successful game." Apparently, the players did not pursue the problem further, finding adequate , 
challenge in other research areas. [5 ' 

Much later, the problem was independently posed by Robert Floyd. This led to the first formal results 
on mental poker, in a 1979 research report by Adi Shamir, Ronald Rivest, and Leonard Adleman, later 
published in The Mathematical Gardner 1 ^. In the spirit of modern cryptography, they began by proving 
the problem impossible to solve. The argument is very simple: if Alice and Bob are playing poker, either 
Bob can claim to have a straight-flush every time, or Alice has enough information to determine Bob's 
hand. Having established the problem as adequately challenging, Shamir, et al proceeded to solve it. 
Their solution circumvents the impossibility result by exploiting 'hidden' information. Alice knows Bob's 
hand in the sense that it is the unique solution to a computational problem, but finding that solution is 
beyond her capabilties. Verifying the solution, once Bob divulges his hand, is easy. 

More specifically, this first poker protocol utilizes the power of commutative cryptosystems. Let E A and 
D A be Alice's encryption and decryption functions, respectively, and let E B and D B be Bob's. Suppose 
that E A (D B (x))=D B (.E A (x)) and E B (D A (x))=D A (E B (x)) for all messages x. Then Alice and Bob play a 
hand of poker as follows (it is a simple exercise to extend this protocol to three or more players). 

Let the deck of cards be any encoding of the set { 1 52} appropriate for the cryptosystem. Alice 

encrypts each card in the deck separately, randomly orders the resulting set {£,,(1) £„(52)}, and sends 

it to Bob. 

Bob chooses five encrypted cards at random, say {£„(18), £ A (24), £,,(27), £„(3l), £,,(39)}, and sends them 
back to Alice, who now knows her hand is {18,24,27,31,39}. 

Next, Bob chooses five different encrypted cards, say {£<(3), £,,(12), E A (15), £,,(35), £,,(41)}, encrypts 
them, and sends the randomly ordered set {£ s £^(3), £ B £„(12), E B E A (IS), E B E A (3S), £,,£,,(41)} back to 
Alice. 

Alice decrypts each element of the set, and sends the resulting set, {£„(3), £ s (12), £ s (15), £ s (35), 
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£,,(41)}, back to Bob. 

Bob decrypts the set to get his hand, {3,12,15,35,41}. 

Once the hand has been played, Alice and Bob exchange their encryption keys and verify that each 
played fairly (until this point, both players could claim to have any hand they like, so long as it did not 
happen to intersect their opponent's hand). Both Alice and Bob's encryption keys must be uniquely 
determined by the messages sent during the deal. Otherwise, Alice or Bob could divulge the key which 
decodes the best hand. It is also important that the encryption function hide all of the message— leaking 
even a single bit about a card (such as its color) can make a significant difference. 

Shamir, Rivest and Adleman suggest a particular commutative cryptosystem for implementing their 
protocol. It is based on modular exponentiation. Alice and Bob agree on a large odd prime number n, 
and separately choose secret keys k=A or k=B , where gcd(A ,n - l)=gcd(B ,n - 1) = 1. Then E k (x)=x k {mod 
n) and D k (x)^x'(mod n), where ki^\(mod n -1). 

2.2 These Cards are Marked! 

Shortly after this protocol and implementation appeared in a technical report, Lipton observed that this 
implementation leaks at least a bit of information' 21 . This is because exponentiation modulo n preserves 
quadratic residues. A number x is a quadratic residue modulo n provided x=y 2 (mod n) for some y . 
Otherwise, x is a quadratic nonresidue. Half of the integers are quadratic residues modulo n, for n a 
large prime. For such n it is easy to determine whether a number is a quadratic residue. Finally, since 
k must be odd, x y (mod n) is a quadratic residue if and only if x is. Thus, knowing which cards are 
quadratic residues, and comparing these against the encrypted cards Alice sends him, Bob has about a bit 
of information per card. 

Of course, the cards could be encoded originally so that they are all quadratic residues (or all quadratic 
nonresidues) . Lipton discusses this and other suggestions for strengthening the cryptosystem, but notes 
that there is still no guarantee that the result is secure. Indeed, the indication is that bits may still leak. 

2.3 A Provably Secure Two-Person Game 

Some three years after Lipton's observation, Goldwasser and Micali published a new protocol for playing 
mental poker' 31 . A major achievement of their work was a proof that discovering a single bit of an 
opponent's hand was equivalent to solving an apparently intractable problem (factoring, index finding or 
deciding quadratic residuosity with respect to composite moduli). Unfortunately, their protocol works 
only for two players. 

The details of their protocol are beyond the scope of this survey. What follows is a very simplified 
description, intended to explain why it works for only two players. 

Our friends Alice and Bob will play again. Alice shuffles a deck of cards, encrypts it using a function A , 
and sends the encrypted deck to Bob. Similiarly, Bob shuffles a deck, encrypts it using B , and sends it 
to Alice. Micali and Goldwasser show how Bob can ask Alice to decrypt one card of her deck, without 
Alice knowing which card she has decrypted. This technique is the crux of their protocol and uses some 
clever computational number theory; essentially Bob asks a question about every encrypted card, but for 
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only one card does Bob gain enough information to decrypt the card. (There is a later verification step 
that ensures that Bob didn't decrypt more than one card.) 

So how is the game played? Suppose Bob has drawn card x from Alice's deck. He then removes B(x) 
from his own encrypted deck, so when it is Alice's turn to draw, she can't choose B(x). Similiarly, any 
card drawn by Alice is removed from her deck, so Bob can't draw it. Neither player knows what cards 
have been removed from the opponent's deck, since the decks are encrypted. 

Now it is clear why the protocol works for only two players. Alice draws from Bob's deck, which does 
not contain Bob's hand, and Bob draws from Alice's deck, which does not contain Alice's hand. If 
Charles wants to play, which deck does he choose from? If he chooses from Bob's deck, he might get a 
card Alice has, and if he chooses from Alice's deck, he might get a card Bob has. 

2.4 Three or More Players 

What happens with three or more players? Suppose Charles wishes to play with Alice and Bob. To keep 
Alice from falsely claiming to have a straight-flush, Bob and Charles must together have enough 
information to determine her hand. But neither alone need have this information. And as long as they 
cannot share information, they remain ignorant of Alice's hand. Thus, the impossibility argument of 
Shamir, et al, does not work with three or more players. 

This observation was made by Barany and Furedi' 4 ', who also present a simple protocol for mental poker 
for three or more players. Let's see how Alice, Bob and Charles can use this protocol to play poker. 
Initially, each player chooses a random permutation of the deck, A , B and C, respectively. 

Next, Bob and Charles send B and C to Alice. They do this secretly, so that they remain ignorant of 
each other's permutation. 

Now Alice secretly sends BA~ l to Charles, and CA~ l to Bob. 

Now the cards are ready to be dealt. Let's jump ahead to a point where Alice, Bob and Charles already 
have some cards, the sets H A , H B and H c , respectively, and see how new cards will be dealt. (Initially, 
these are the empty sets). We assume that the hands are disjoint so far. 

At this stage, each player has the following information. 

Alice knows A , B , C , H A . 

Bob knows B , CA'\ H B , A {H A ) , A(H B ),A(H C ). 
Charles knows C, BA~\ H c , A (H A ) , A(H B ), A(H C ). 

Suppose Bob wants a new card. He gets it from Charles as follows. Charles chooses a number x not in 
A(H A ), A(H B ) or A(H C ), and sends BA~\x) to Bob, from which Bob computes his card, y = A~\x). 
Bob adds y to H 3 , and both Bob and Charles add x to A (H B ) . Charles gets a card from Bob in a similar 
way. 
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When Alice wants a new card, she gets it from either Bob or Charles, say Bob. Bob chooses a number jc 
not in A (H A ), A (H 8 ) or A(H C ), and sends j: to both Alice and Charles. Alice adds? = A~\x) to H A , 
and Bob and Charles add x to A (H A ) . 

Alice plays a special role in this protocol. Thinking of her permutation as a shuffled deck of cards, 
everyone but Alice knows which cards in this shuffled deck they each hold. For instance, Bob and 
Charles may know Alice has the 3 rd and 4'* cards in the deck, Bob has the 34'* and 51" and Charles has 
the 22 nd . By picking cards in A that have not yet been dealt, Bob and Charles can keep all hands 
disjoint. Because only Alice knows how the cards are ordered by A , the cards Bob and Charles pick will 
be randomly chosen. 

The assumption that players will not collude is crucial to the protocol. If any two players share their 
knowledge, they learn not only each other's hands, but their opponent's hands, as well. No one would 
bet real money under these conditions. In Section 3, we show how Alice's special role can be played by a 
trusted party during an initialization stage, in such a way that players who collude learn only the contents 
of each other's hands. 

2.5 Other Poker Protocols 

A protocol based on ideas similiar to the Goldwasser-Micali protocol was independently proposed by 
Yung.' 61 Yung's protocol improves on the Goldwasser-Micali protocol by allowing more than two poker 
players. Unfortunately, his protocol is quite complex, and like the Barany-Furedi protocol, it is not 
secure against collusion: two players collectively have enough information to deduce other players' hands 
as well. 

One approach to prevention of collusion was suggested by Fich and Goldwasser. 17 ' The Fich-Goldwasser 
protocol is based on the Barany-Furedi protocol; the novelty is that it is not possible to transmit secret 
information in the messages of the protocol itself. If all communication between participants is restricted 
to protocol messages, then collusion is impossible. Of course, if there is some secret channel between 
players, say a surreptitious telephone line, then the protocol suffers the same defect as the Barany-Furedi 
protocol, and two colluding players can learn all hands. 

3. PRACTICAL MENTAL POKER 
3.1 Introduction 

Can we construct a poker protocol for three or more players that is secure against collusion? We now do 
so. Our protocol uses the "distributed-information" technique of Barany and Furedi. In addition, it uses 
one-way functions to authenticate information, and the services of a "Card Salesman" as a trusted 
participant. 

The Card Salesman participates in the protocol at the beginning of play. He receives a small amount of 
secret information from each player, then publicizes information that allows play to proceed. The Card 
Salesman must be a trusted participant, for he has enough information to discover all players' hands. The 
advantage of a Card Salesman over a trusted dealer (in which case the poker problem is trivial) is that 
the Card Salesman need only participate at the beginning of play. 
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In many ways the role of Card Salesman is analogous to the manufacturer of a deck of cards. Serious 
poker players insist on beginning any poker game with a new deck of cards, in a box still sealed by some 
trusted manufacturer. The players then have some assurance that the cards are not marked. Both in the 
case of the card manufacturer and of the Card Salesman, the cost of the trusted participant is small. 

The poker protocol also requires the use of one-way functions. A one-way function / is a function that 
is easy to compute and hard to invert. One-way functions are valuable authentication tools. For 
instance, computer systems often store encryptions of passwords, rather than cleartext passwords. [8] 
Although there is no proof that there is any easy-to-compute function that is hard to invert (since such a 
proof would imply P *NP), practical one-way functions are easy to construct. This is because there is no 
need to construct the inverse of the one-way function, quite in contrast to the case of public-key or 
private-key encryption methods. We assume the existence of a one-way function / that is either one-one, 
or if not one-one then, given z =/(y ), it is computationally hard to find any x so that / (x)=z . Further 
discussion of one-way functions can be found in the references 18 ' [91 . 

The poker protocol has the following general format. At initialization, each player chooses some secret 
information. At later stages, each player makes a move that either is based on a random choice, or is 
completely determined by the secret information initially chosen. The fairness of the protocol depends 
upon the player abiding by the initially chosen secret information. To convince other players that he is 
not cheating, at the beginning of play each player broadcasts his secret information, encrypted by a one- 
way function. At the end of the game, each player broadcasts his secret information, unencrypted. Then 
all players can check that all other players followed the protocol. Note that since all messages besides 
secret messages are broadcast to all players, the information needed to check other players behavior is 
available. Also, since one-way functions are hard to invert, after play is over, a player cannot broadcast 
secret information different from what he was using during play. 

As long as the Card Salesman and at least one player play fairly, no group of colluding players can gain 
an unfair advantage over other players. The proof of this assumes that the one-way function cannot be 
inverted. Actually, a stronger assumption is necessary, that no statistical information at all about the 
preimage of a function value can be inferred. This assumption becomes apparent in the analysis of the 
protocol, as we ignore the fact that the encrypted secret information has been published. 

3.2 The protocol 

The poker protocol assumes that two network services are available: the ability to send secret messages 
between pairs of players, and the ability to broadcast a message to all players. Actually, secret messages 
are only sent at the initialization of the protocol, and then only to the Card Salesman. All other 
messages are broadcast to all players. We assume that the network reliably provides these two services. 

The duty of the Card Salesman is to choose a random permutation it that encodes players hands. 
Suppose Alice has a hand H A . Of course H A is not known to other players, but ir(H A ) will be public 
knowledge. No player has information about it beyond the value of it on his hand. To draw a new card, 
the player must choose some y =rc(x) not in any other player's hand. This is possible since the player 
knows the ir-encoded form of the other players' hands. The poker protocol then reveals to the player 
x=ir~'(y) without letting any other player know x. 
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So how does a player, say Charles, draw a card? Before the game starts, Alice, Bob, and Charles each 
choose a random permutation a, p, and 7, respectively, and transmit their permutation secretly to the 
Card Salesman. The Card Salesman computes the -product A=a""'|3~'-y~ 1 ir~ 1 and broadcasts it to all 
players. Now suppose Charles wishes to draw a card. He randomly chooses some y=n(x) not in any 
other player's hand, and broadcasts y and A(y), Alice now computes and broadcasts a(A(y)). Bob 
computes and broadcasts fJ(a(A(y))). Finally, Charles computes 7(P(a(A(y ))))=*, and of course does not 
broadcast it. Note that the same permutations a, p, 7 can be used the next time Charles draws a card. 
However, permutations a, B, 7 cannot be used to draw cards for a different player. 

We now describe the complete poker protocol for three players, Alice, Bob, and Charles. The 
generalization to more than three players is straightforward. 

Initialization: 

1. The Card Salesman randomly chooses a permutation it. 

2. Alice chooses three permutations a A , <x s , a c - Similiarly , Bob and Charles each choose three 
permutations fi A , B g , p c and y A , y B , y c . All permutations are transmitted secretly to the Card 
Salesman, and their encryptions using the one-way function are broadcast. 

3. The Card Salesman computes and broadcasts the products & A =fi A l y A l a A , n~ > , A s =yB la B > $B , ' n ~ i > al, d 
A c =ac'Pc'7c 1 ir" 1 - 

For Charles to draw a card: 

1. Charles randomly chooses y = tt(x) not in any player's hand and broadcasts y and A c (y). 

2. Alice broadcasts a c (Ac(y)). 

3. Bob broadcasts B c (a c (A c (y))) 

4. Charles computes x=y c ($ c (a. c (A c (y)))). 

5. All players record that Charles has y =ir(jc) in his hand. 

For Alice to draw a card, Alice publishes y and A,,(y), then Bob and Charles broadcast & A (& A (y)) and 
7 A (p^(A A (j))), respectively. Similiarly, for Bob to draw a card, Bob publishes y and A B (y), then Charles 
and Alice broadcast 7 B (A B (y)) and a g (y g (A g (y))), respectively. 

End of play: Each player publishes his permutations, and checks that every other player played fairly. 
Then the debts are settled. 

3.3 Correctness 

Is it possible to play poker with this protocol? Certainly. It is clear that one round of the protocol 
allows a player to draw a card not in anyone else's hand. The more important question is: is anyone 
willing to play poker with this protocol? I.e., is it possible to guarantee absence of cheating? It is clear 
that before any cards are dealt, and in the absence of collusions among the players, it is random, so a 
player has no better strategy for drawing cards than random choice. But what happens in the presence of 
collusions, and after cards are dealt? We show that as long as the Card Salesman and at least one player 
play fairly, that is, they choose their permutations randomly with uniform distribution and conceal them 
from other players, then no other player or group of colluding players can gain any information on cards 
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lot in their own hands. 

How can we analyze the protocol? We wish to determine the probability distribution of it, given the 
information a player of group of players have at some point during play. We know that originally it was 
:hosen randomly by the Card Salesman. However, the Card Salesman publishes the permutations A, and 
as play proceeds information is made public about each player's private permutations. To analyze the 
probability distribution of it, even in the presence of these additional constraints, we set up a state space 
that captures the possible values for ir and also all of the permutations initially chosen by the players. 
Note that the state space does not capture the later random choices made by the players. The state space 
has a probability distribution, given by the probabilities with which the players choose their permutation. 
A player's knowledge is modelled as a subset of the possible states, specifically, all the states satisfying 
the player's knowledge. We determine the conditional probability distribution for ir, given that the state 
must satisfy the knowledge of a player or group of players. 

The analysis is given in terms of three players Alice, Bob, and Charles, assuming that Alice plays fairly, 
and Bob and Charles possibly collude. The generalization to more than three players is straightforward. 

The state space has variables A A , A B , • • , r c and n. Each of these variables has as possible values a 
permutation on 1 • • • 52. A state is a particular set of values for the variables, A A =a A , A B =a B , ■ ■ ■ , 
r c =7 C > an< l n=ir. We use upper case letters for variables and lower case letters for particular values. 
Knowledge is denoted by a set of equations involving the variables; the set of equations specifies all 
states satisfying the equations. 

What is known, publicly and privately? We summarize it as follows. 

Alice's knowledge, K A : A A =a 4 , A B = a B , and A c =a c 

Bob's knowledge, K B : B A = $ A , B B = p„ , and B c = p c 

Charles's knowledge, K c : r A =y A , T B =y B , and r c = y c 

Public Knowledge, P (consisting of all messages that have been broadcast): 

A s =r 8 - 1 A fl -'s 1 r 1 n- 1 

A c =-4c { B C ~ Tc'ir 1 . 

For each x in n(H A ): B A (A A (.x)) = £ A (b A (x)) and r^(P J ,(A A (x)))= 7A (p x (A /J (x))) 
For each x in U(H B ): r B (A B (x))=y B (A B (,x)) and A a (y B (A B (x)))=a B (y B (A B (x))) 
For each x in Yl(H c ): A c (.A c (x))=a c (A c (x)) and B c (o c (A c (j:))) = Pc(«c(AcU))) 

Lemma. Let k = \H B [JH C \ . In any probability distribution where n, A A , A B , and A c are each uniformly 
distributed and independent of all other variables, then for any x not in H B \JH C , y not in 
Ii(H B )\jn(H c ), Pr[n(jt)=y \K B K c P]=U(52-k). 

Proof: We need to analyze the set of states consistent with the partial information K B , K c , and P; in 
particular, we need to know the possible values of n. Say that ir behaves correctly if for all x in H B , 
ir(x) = A/ WWW '(*)))) and for all x in H c , ir(jt) = Ac W W W '(*)))) (that is, v has the correct 
value on H B and H c ). Note that all these values are part of the partial information K B , K c , and P. We 
claim that if ir behaves correctly, then there is a state with n=ir satisfying the equations in K A , K B , K c , 
and P , and if it does not behave correctly, then there is no state with fl=ir satisfying the equations. 
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Furthermore, once ir is chosen, since the variables B A , B B , B c , , T 3 , T c all have values fixed at p A , 
Pa . Pc , 1a • 7s • "re > respectively, the values of A A , A B , and A c are uniquely determined. This follows by 
just examining the equations. Since each of n, A A , A B , and A c are uniformly distributed and 
independent, each state arising from a choice of it is equally likely. What proportion of the choices of ir 
satisfy ir(jc)=y? Clearly, l/(52-i). 

QED 

So can Bob and Charles collude? They can of course tell each other their own cards. But by the 
Lemma, they can gain no information on cards that are not in their own hands. Thus, they cannot infer 
the cards in Alice's hand, nor can they do better than a random choice in choosing a card to draw. Of 
course, this assumes that Alice plays fairly. But it is always in Alice's interest to play fairly, since she is 
then protected from cheating by other players. 

As a technical note, we observe that the Card Salesman could choose the players' private permutations in 
addition to the permutation it. Then the Card Salesman would broadcast the permutations A, as before, 
and secretly communicate to each player his private permutations. It would be possible to implement this 
protocol, but it is probably easier to have all secret communication directed to the Card Salesman, as in 
the protocol presented. 

3.4 The Many Flavors of Poker 

While purists complain, the name poker applies to a wide variety of sins. Simple games like Seven-card 
Stud or Five-card Draw can be played using the protocol above directly. Cards can be drawn from the 
deck, discarded and turned face-up. More complex games are easily accommodated, but there are a few 
we cannot play. 

One author plays an abomination called Indian, in which each player is dealt a single card, face-down. 
Everyone's card is then shown to every other playeT, but remains unknown to its holder. After a round 
of betting, with opportunities to fold, the high card wins. A simple adaptation of our protocol allows one 
to play this game, and in general to identify a card to any subset of players in a way that can be verified 
later. 

Other games involve passing cards from one player to another. This is easy to do once, just by passing 
the encrypted card, which is then decoded for the new recipient. But in the game Anaconda, cards are 
passed more than once, and this implementation allows one to determine that a card one passed earlier is 
(or is not) being passed in subsequent rounds. A secret and subsequently authenticable message could be 
used to pass a card and avoid this problem, but the game is hardly worth the added effort. 

One thing we cannot do is return one or more cards to the deck and reshuffle it. We don't know any 
poker games which require this, but they probably exist. In fact, we need to buy a new deck from the 
Card Salesman for every hand of poker we play. Luckily, decks are cheap, and it is easy to buy lots of 
them during a single initialization. 

4. DISCUSSION 

The protocol presented here is practical enough to implement and run in real time, even on networks of 
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small home computers. With the proper choice of one-way function (and Card Salesman), it is actually 
secure enough to use. This alone is a great improvement over previous solutions. 

As mentioned previously, the protocol is also significant because the tools used to play poker are very 
simple— products of permutations to hide information, one-way functions to permit verification. This 
point raises several interesting questions. What other, more powerful capabilities can be implemented 
using such simple tools? A notable example is the probabilistic signature scheme due to Rabin,' 9 ' which 
uses only one-way functions. Is there a way of characterizing the power of these tools and of establishing 
their limitations? 

The poker problem is trivial if there is a trusted Dealer to distribute cards. The Card Salesman is not 
nearly as expensive as a Dealer (we claim), but we'd really like to get rid of him completely. The 
protocol here requires the Card Salesman to choose the random n and to compute and broadcast the 
permutations A. Thus we would like to find a way of broadcasting a product of n secret permutations 
without divulging any factors. The RSA, and other commutative encryption schemes could be used to do 
this. Can it be done with only one-way functions and/or private-key systems? 

Poker differs from some applications, in that authentication can be carried out in a single stage, after the 
remainder of the protocol. Other protocols, such as the secret-ballot elections of Chaum' 101 and 
Merritt," 11 or electronic funds transfers, require authentication during the protocol itself. How important 
is this distinction, and what tools are required to implement the two types? 
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We present a general signature scheme which uses any pair of trap-door 
permutations (f^.f^) for which it is infeasible to find any x,y with 
fg(x) = fj(y)- The scheme possesses the novel property of being robust 
against an adaptive chosen message attack: no adversary who first asks 
for and then receives sgnatures for messages of his choice (which may 
depend on previous signatures seen) can later forge the signature of 
even a single additional message. 

For a specific instance of our general scheme, we prove that 

(1) forging signatures is provably equivalent to factoring (i.e., 
factoring is polynomial -time reducible to forging signatures, and vice 
versa) 

while 

(2) forging an additional signature, after an adaptive chosen 
message attack is still equivalent to factoring. 

Such a scheme is "paradoxical" since the above two properties were 
believed (and even "proven" in the folklore) to be contradictory. 

The new scheme is potentially practical: signing and verifying 
signatures are reasonably fast, and signatures are not too long. 
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ABSTRACT 



The complexity of a finite sequence as defined by Lempel and Ziv 
is advocated as the basis of a test for cryptographic algorithms. 
Assuming binary data and block enciphering, it is claimed that the 
difference (exclusive OR sum) between the plaintext vector and the 
corresponding ciphertext vector should have high complexity, with very 
high probability. We may refer to this as plaintext/ciphertext com- 
plexity. Similarly, we can estimate an "avalanche" or ciphertext/ 
ciphertext complexity. This is determined by changing the plaintext 
by one bit and computing the complexity of the difference of the 
corresponding ciphertexts. These ciphertext vectors should appear to 
be statistically independent and thus their difference should have 
high complexity with very high probability. The distribution of com 
plexity of randomly selected binary blocks of the same length is used 
as a reference. If the distribution of complexity generated by the 
cryptographic algorithm matches well with the reference distribution, 
the algorithm passes the complexity test. For demonstration, the test 
is applied to modulo multiplication and to successive rounds 
(iterations) of the DES encryption algorithm. For DES, the plaintext/ 
ciphertext complexity test is satisfied by the second round, but the 
avalanche complexity test takes four to five rounds before a good fit 
is obtained. 
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INTRODUCTION 



A block enciphering algorithm may be regarded as a reversible 
transformation which maps binary n-vectors into binary n-veetors, for 
a given key. In modern cryptography it is usually assumed that the 
cryptographic algorithm is known and only the key is kept secret. In 
principle, a cryptographic scheme can always be broken by an exhaus- 
tive key search. However, if the key set is large, such a search 
becomes computationally infeasible. On the other hand, if the crypto- 
graphic algorithm is not well designed, the key may be discovered with 
high probability by searching a much smaller set. Thus there is a 
need to develop statistical tests to reveal such weaknesses. A recent 
and interesting test is the complexity test. We will discuss some 
properties of complexity in this paper and apply the test to modulo 
multiplication and the DES encryption algorithm. 



THE COMPLEXITY CRITERION 



Lempel and Ziv [1] introduced the idea of the complexity of a 
finite sequence and developed several of its important properties. 
Fischer [2,3] recognised the application of complexity to crypto- 
graphic algorithms. Spencer and Tavares [4] applied the complexity 
test to a layered broadcast cryptographic system and found it to be 
quite sensitive. Intuitively, the complexity of a sequence is a 
measure of the rate at which new patterns emerge as we move along the 
sequence. Starting at one end, say the left, we put a marker whenever 
a new sequence appears. The complexity is the number of distinct 
patterns which have been identified. To illustrate, consider the 
sixteen bit sequence 

X = 1001 101 1 100001 1 1 . 

Inserting a marker after each new pattern, we have 

X = 1 1 0 1 0 1 |101 | 1 100 1 00 111 | 

and thus X has a complexity of 6. Lempel and Ziv showed that, in the 
limit, almost all binary sequences of length n have complexity ex- 
ceeding n/log n. Thus for sequences of length n, the expression C R = 
n/log n, may be regarded as a threshold of complexity. If we compute 
the complexity of a large number of randomly selected binary sequences 
of length n, we can determine an IDEAL distribution of complexity as 
shown in Fig. 1 for sequences of length n = 64 . The above sequences 
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COMPLEXITY LEVEL 



Fig. 1: Distribution of sequence com- 
plexity for 64-bit sequences from a 
selection of binary sources. The IDEAL 
curve is derived from a Binary Memory- 
less Source (BMS) with equiprobable 
symbols. The curve labelled BMS is 
based on a BMS with p(0)=0.7 and the 
dashed curve is based on a Binary 
Symmetric Markov Source (BSMS) with 
p(0/0)=p(l/l)=0.7. 



Fig. 3: Distribution of complexity for 
right half (low order 16 bits) and left 
half (high order 16 bits) for 32-bit 

32 

multiplications, modulo 2 



3 5 7 

COMPLEXITY LEVEL 



IDEAL 
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17TH BIT 
CHANGED 



IDEAL K 1ST BIT 
DIST'N ,'\ CHANGED 

' \ 1 




Fig. 2: Plaintaxt/ciphertext distribu- 
tion of complexity for 32-bit modulo 

32 

multiplication, modulo 2 . It can be 
seen that the distributions fall short 
of the ideal distribution. 



Fig. 4: Distribution of avalanche 
complexity for 32-bit multiplication, 
32 

modulo 2 . The distribution depends on 
which plaintext bit Is complemented to 
generate the avalanche effect. 
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could also be generated by selecting 61-bit blocks from a Binary 
Memoryless Source (BMS) with equiprobable symbols. Lempel and Ziv [1] 
showed that the distribution of complexity is related to the entropy 
of the source generating the sequences and this is illustrated by the 
other two curves in Fig. 1. The curve labelled BMS is generated by a 
Binary Memoryless Source with p(0) = 0.7 and the curve labelled BSMS 
is generated by a Binary Symmetric Markov Source with p(0/0) = p(1/1) 
= 0.7. These two information sources have the same entropy (.881 
bits/symbol) but different structure and it is seen that they are 
quite close together, but distinct from the ideal distribution. The 
threshold of complexity is given by C n = 64/log 2 64 = 10 2/3. 

In an ideal block cryptographic system the plaintext vector P and 
the corresponding ciphatext C should appear to be independent of each 
other . Let 

S = P 0 C 

where © means the exclusive OR sum of the two binary n-vectors, term 
by term. Then, for a well designed cryptographic algorithm, 

CCS) > n/log n 

with high probability, where C(S) is the complexity of the sequence S 
(of length n). If we pick a large number of plaintext sequences P at 
random and compute CCS) in each instance, then the distribution of 
CCS) should appear as indicated by the 'IDEAL' curve in Fig. 1, where 
n = 64 in this instance. 

The complexity CCS) defined above may be referred to as plaintext/ 
ciphertext complexity, since S is the difference of P and C. In a 
similar manner, we can define a ciphertext/ciphertext or 'avalanche' 
complexity as follows. Let the plaintext vector P generage the 
ciphertext C, and P' generate C' where P' is obtained from P by 
complementing a bit in a designated location. Determine the n-vector 

U = C © C' 

where U is a measure of the difference between the ciphertexts and 
thus is also a measure of the avalanche effect. In an ideal crypto- 
graphic algorithm, C and C' should appear to be statistically 
independent and thus U should appear to be randomly selected from the 
set of all binary n-tuples. Letting CCU) represent the complexity of 
U, it should also be true that 

CCU) > n/log n 
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with very high probability. The distribution of avalanche complexity 
for a specified plaintext bit position can be estimated by selecting 
plaintext vectors at random and complementing the designated bit. The 
complexity of U, C(U), is determined in each case. If the crypto- 
graphic algorithm is well designed, the distribution generated in this 
way should match very closely with the ideal distribution generated 
by the set of all binary vectors of length n. Note that the avalanche 
complexity distribution may be a function of the bit location that is 
complemented. Such variations would reveal cryptographic weaknesses. 
Avalanche complexity can also be defined by complementing key bits 
instead of plaintext bits. It should also be noted that the avalanche 
effect can be generalized by complementing a specified combination of 
bit positions. 



THE COMPLEXITY TEST APPLIED TO MODULO MULTIPLICATION 

The operations A*B mod 2 n and A*B mod 2 n -1, where A and B are 
binary n-vectors, are helpful for illustrating the complexity test. 
The operation • between A and B is binary multiplication, and reduc- 
tion mod 2 n is easily implemented since overflow high order digits 
fall off the end. However, due to the fact that the carries propagate 
from right to left and the overflow drops off the end, the mixing 
effect is not uniform. To examine this more closely, we applied the 
complexity test to the operation A*B mod 2 n , for n = 32. One of the 
parameters, say B, is kept fixed and may be regarded as the key (B 
must be an odd integer for invertibility ) . The other, A, is a random 
32-bit binary vector which is selected many times. The plaintext/ 
eiphertext complexity test is performed for each choice of A and a 
distribution of complexity is obtained. This is shown in Fig. 2 and 
gives the average complexity averaged over the 32 bits. To exhibit 
the non-uniformity, we can perform the complexity test on the left 
half (high-order 16 bits) and right half (low-order 16 bits) separ- 
ately. It can be seen from Fig. 3 that for the same choice of B (the 
"key") , the left half is more complex than the right half. 

The avalanche complexity test was also performed for the ope- 
rations A*B mod 2 n and A*B mod 2 n - 1 . It can be seen from Fig. 4 that 
the complexity distribution for the modulus 2 n differs quite sub- 
stantially from the ideal distribution, but the fit is much better for 

the modulus 2 n -1. This can be seen by comparing Fig. 4 and Fig. 5, 

32 

where Fig. 5 gives the avalanche complexity for modulus 2 -1. After 
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Fig. 5: Distributions of avalanche com- 
plexity for 32-bit modulo multiplication, 
32 

modulo 2 -1. The curves are much closer 
to the ideal distribution than for modulo 

2 32 . 



Fig. 7: Avalanche complexity for 
successive layers of DES produced by 
complementing the 32nd bit of plaintext. 
The curves for four or more layers are 
very close to the ideal distribution. 



AFTER 2ITD 




COMPLEXITY LEVEL COMPLEXITY LEVEL 



Fig. 6: Plaintext/ciphertext complexity 
for successive rounds (layers) of DES. 
From the 2nd layer on, the curves are 
indistinguishable from the ideal distri- 
bution. 



Fig. 8: Avalanche complexity for 
successive layers of DES produced by 
complementing the first bit of key. 
The curves are very close to the ideal 
distribution by the fourth layer. 
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a little reflection this should not be too surprising. For operations 
mod 2 n -1, the carries propagate around the end cyclically and the 
effect of the carry is much more uniform. 

APPLYING THE COMPLEXITY TEST TO DES 

It would be expected that the DES encryption algorithm should do 
well under the complexity tests, and this was found to be the case. 
What is also of interest is to observe how rapidly the DES algorithm 
approaches the ideal complexity distribution as we include more of the 
16 rounds or iterations. (The initial and final permutations are 
ignored.) As shown in Fig. 6, the plaintext/ciphertext complexity 
converges to the ideal after the second iteration. However, the 
avalanche complexity requires four to five iterations before there is 
a good fit. This indicates that the avalanche complexity test is more 
demanding than the plaintext/ciphertext complexity test. The 
avalanche complexity test is performed by complementing a plaintext 
bit and a key bit as shown in Figs. 7 and 8, respectively. 
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INTRODUCTION \ 

Although written about fifteen years ago, Wiesner's seminal paper, 
to which the origin of quantum cryptography must be traced back, did not 
appear in print until the spring of 1983 [W83]. The first published 
account of these ideas thus appeared in the proceedings of the second 
annual CRYPTO conference [BBBW83 ] . However, the concepts presented there 
were mostly of theoretical interest, because the technology involved in 
implementing them would have been far beyond the reach of our current 
knowledge. In particular, single polarized photons had to be trapped, 
bouncing back and forth between perfectly reflecting mirrors, and perfect 
efficiency in photon detection was required. To make up for this incon- 
venience, we could prove that no technology whatsoever, as well as no 
amount of computing power, could break some of our schemes, as long as 
some of the most fundamental principles of quantum physics hold true. 

During the two years that have elapsed since, quantum cryptography 
has come a long way towards practicality. The most important break- 
through was quite an obvious observation: God did not create photons 
as a storage medium, but rather as a communications device. This paved 
the way to a quantum channel on which passive eavesdropping is meaning- 
less, whereas any significant amount of active tampering has a high prob- 
ability of being detected. The purpose of this Update is to present a 
short summary of the new results, and to stress how they differ from the 
current trend in cryptography. 
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THE CURRENT TREND IN CRYPTOGRAPHY 

Conventional cryptosys terns , such as Enigma [G79], DES [NBS77] and 
even RSA [RSA78] are based on a mixture of mathematics, guesswork and 
wishful thinking. Shannon's information theory [Shan48, Shan49] does 
not take into account the amount of computing power at the enemy's dis- 
posal. On the other hand, the theory of computational complexity is not 
yet well enough understood to prove the computational security of public- 
key cryptosystems [DH76]. Even the theory of NP-completeness [GJ79] is 
unlikely to bear any relevance to cryptography [Br79] . 

The need for such proofs was dramatically emphasized when Shamir . 
[Sham82, BS83] first explained at CRYPTO 82 how to break the basic Merkle- 
Hellman knapsack scheme [MH78]. Unfortunately, until the P=?NP question 
is settled [GJ79], the security of any public-key cryptosystem is doomed 
to depend on experience and unproved conjectures. The following quote 
from the original paper on (now broken) knapsack schemes is quite elo- 
quent: "Faith in the security of these systems must therefore rest on 
intuition and on the failure of concerted attempts to break them" [MH78]. 
This is so reminiscent of what used to be said about World War II and 
earlier ciphers that one can only shiver at the thought that such is 
still the current situation. The following quotes, from an excellent 
tutorial introduction to cryptography by Diffie and Hellman, are cer- 
tainly not obsolete, although some progress has been achieved in the past 
five years: "Cryptography is currently an engineering subject in which 
there are more facts and rules of thumb than theorems or systematic 
developments", and "We expect that provably secure systems will be de- 
veloped as computer science progresses, but until that time, the current 
process of certification by mock attack will remain the most reliable 
test of a system's strength" [DH79]. 

Even the truly remarkable notion of probabilistic encryption, as 
set forth by Goldwasser and Micali in recent years [GM84], is not immune 
to an eventual breakthrough in algorithm design. The superb mathematics 
underlying these schemes can only serve to weaken the assumptions needed 
to infer their security. Nonetheless, they are also ultimately based on 
unproved conjectures in computational number theory. They have only 
changed the process of certification, which can concentrate on finding 
efficient algorithms for the relevant number theory problems, instead 
of working directly on pieces of ciphertext. Perhaps even more dis- 
turbing is the thought that such efficient algorithms may very well have 
been discovered already, but that they are being kept secret for obvious 
intelligence reasons, or in the hope of reaping a substantial profit. 
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It is nonetheless possible to prove negative theorems about mathe- 
matically based cryptosystems . For instance, Shannon proved that no 
traditional secret-key cryptosystem can achieve perfect secrecy against 
unlimited computing power, unless the key, used once only, is at least 
as long as the cleartext. Similarly, it is not hard to prove that any 
public-key distribution scheme [DH76] can be broken, given sufficient 
computing power, even if the cryptanalyst is only allowed passive eaves- 
dropping. 

QUANTUM CRYPTOGRAPHY 

The purpose of quantum cryptography is to propose a radically dif- 
ferent foundation for cryptography, viz. the uncertainty principle of 
quantum physics [Bo51]. Quantum cryptography can achieve most of the 
benefits of public-key cryptography, with the additional advantage of 
being provably secure, even against an opponent with superior technology 
and unlimited computing power, barring fundamental violations of accepted 
physical laws. It can be roundly asserted that any successful attack on 
some of our schemes would have more far reaching consequences on contem- 
porary physics than an efficient factoring algorithm, or even a proof 
that P=NP (sic), would have on mathematics and computer science. 
Perhaps even more remarkable is the fact that quantum cryptography 
allows for protocols that achieve both mathematically impossible feats 
discussed at the end of the previous section. 

Offsetting these advantages is the practical disadvantage that 
quantum transmissions are necessarily very weak and cannot be amplified 
in transit. However, a recent experiment conducted in France by Aspect, 
Grangier and Roger [AGR82] in order to test the Einstein-Podolsky-Rosen- 
Bohm gedankenexperiment [EPR35, M81] clearly indicated that quantum 
cryptography is within the reach of current technology, although more 
work is necessary for it to become economical and practical. Another 
disadvantage of quantum cryptography is that it does not provide digital 
signature [DH76] and related features, such as certified mail [B183a] 
or the ability to settle a dispute before the judge. However, these 
limitations seem to be inherent to any scheme secure against unlimited 
computing power. Also, the proposed coin tossing scheme discussed below 
is not secure against very advanced technology. 

Readers interested in implementation details of the various quantum 
cryptography schemes are refered to other conference proceedings [BBBW83, 
BB83, BB8A ] . Let us only briefly describe here the basic underlying 
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principles. In conventional information theory and cryptography, it is 
taken for granted that digital communications can always be monitored 
and copied, even by someone ignorant of their meaning. Such copies can 
be stored for an eventual future use, such as helping the decryption of 
later transmissions enciphered with the same secret key. However, when 
elementary quantum systems, such as polarized photons, are used to trans- 
mit digital information, the uncertainty principle gives rise to novel 
cryptographic phenomena, unachievable with traditional transmission 
media. This principle can be used effectively to design a communica- 
tions channel whose transmissions in principle cannot be read or copied 
reliably by an eavesdropper ignorant of certain key information used in 
forming the transmission. The eavesdropper cannot even gain partial 
information about such a transmission without altering it in a random 
and uncontrollable way, likely to be detected by the channel's legitimate 

users. ; 

j 

Such a channel allows the unlimited re-use of a one-time pad without 
any breach of security, thus contradicting a well-established theorem 
of Shannon's. Whenever eavesdropping occurs, the enemy can gain no 
information on the message that was being sent, but the channel's legit- 
imate users are warned that eavesdropping was attempted. A new secret 
key must then be used to retransmit the previous message, as well as for 
all further transmissions. As this new key could have been sent through 
the quantum channel as a previous secure transmission using an older key, 
this scheme has been described as a self-winding one-time pad. 

More interestingly, the quantum channel achieves one of the main 
advantages of public-key cryptography by permitting secure distribution 
of random key information between two parties who share no secret infor- 
mation initially, provided both parties have access, beside the quantum 
channel, to an ordinary channel susceptible to passive eavesdropping, 
but not to active tampering. Even in the presence of active tampering, 
the two parties can still distribute a key securely if they share some 
much shorter secret information initially, provided the tampering is not 
so frequent as to suppress communications completely. These key distri- 
bution and key expansion schemes remain secure even if the enemy has 
unlimited computing power. Recall that it is a theorem that this is 
impossible to achieve for mathematically based schemes. 

Finally, we also have a protocol for coin tossing [B183b] by ex- 
change of quantum messages, which is secure against traditional kinds 
of cheating, even by an opponent with unlimited computing power. Ironi- 
cally, it can be subverted by use of a still subtler quantum phenomenon, 
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the already mentioned Einstein-Podolsky-Rosen-Bohm gedankenexperiment . 
This threat is merely theoretical, however, because it requires perfect 
efficiency of storage and detection of photons, which though not impos- 
sible in principle, is far beyond the capabilities of current technology. 
The honestly followed protocol, on the other hand, could be realized 
with current technology. 

There is an interesting similarity between probabilistic encryption 
and quantum cryptography: both rely on the notion of reduction. However, 
whereas the former reduces the unproved computational complexity of some 
outstanding problems of number theory to the difficulty of breaking the 
schemes, the latter relies on the most fundamental beliefs of quantum 
physics. For instance, one such reduction can be used to prove about 
one of the coin tossing opponents that any systematic advantage he could 
get on the outcome of the coin toss could be used to effectively transmit 
information faster than the speed of light. 
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PREVIOUS WORK 

Partial key, key safeguarding, and threshold techniques appear to be another example of 
similar good ideas springing up in several places at nearly the same time — each with a different 
name and associated tenriinology. The use of partial key techniques actually appeared in print 
first in a technical report [Chaum 79] before the key safeguarding techniques were presented at a 
conference [Blakley 79], and before the threshold schemes were submitted for publication [Shamir 
79]. (In fact the author received comments on the technical report from Shamir, along with a 
draft of the threshold scheme.) 

The essential idea of all three techniques is that someone who knows a secret number can 
form other numbers from it, such that it is easy to compute the secret number if you know any 
fixed k of the other numbers, but knowing less than k of the other numbers gives no clue about 
the secret number. 

Feistel proposed dividing a key into parts such that the key could be recovered by forming 
the bitwise exclusive-or of all the parts [Feistel 70]. Shamir quotes a problem from a 
combinatorics text in which all fixed-size subsets of a set of scientists have sufficient physical keys 
to unlock a file cabinet protected by multiple padlocks [Liu 68]. The partial key technique, which 
works with cryptographic keys, was an improvement over the approach of the padlocks, because 
it allowed each trustee of keys to hold only one key, instead of many keys. It might be quite 
convenient in practice for small numbers of trustees, and can provide unconditional security. It 
appeared as a single paragraph and footnote in a proposal for distributed computer systems that 
can be trusted by groups who don't necessarily trust each other. The secret sharing and 
threshold techniques are far more elegant than the original partial key technique. They allow 
large systems in practice, and also can provide unconditional security. A number of similar 
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schemes have appeared subsequently. 

Since no standard terminology seems to have emerged, the following will be used: in a 
partial key system, the system creator divides the key into partial keys (Blakley's shadows, 
Shamir's pieces) that are transmitted to various trustees (Blakley's guards), such that any quorum 
(Shamir's threshold) of trustees is sufficient to recover the key, and less than a quorum of trustees 
is insufficient. 

The present work describes techniques allowing any partial key system to adapt for survival 
in the face of changing availability of trustees and even changing needs for system parameters. 

MOTIVATION 

All trustees may not always remain able and willing to recover the key in a partial key 
system. For example, a computer acting as a trustee and storing a partial key may be destroyed 
by natural or other disaster, or a human trustee may be hit by a truck. Less sever causes can 
also easily be imagined, such as hardware or software failures, or a person suffering from loss of 
memory. A trustee that will never participate in recovering a key will be said to be lost; a trustee 
able and willing to participate will be said to be present. 

Clearly it is prudent to consider scenarios in which trustees become lost. If less than a 
quorum of trustees remain after one or more trustees is lost, then it has become impossible to 
recover the key. Problems could also result from a substantial loss that leaves only a quorum of 
trustees, or relatively few more than a quorum, for reasons similar to those for having the greater 
number of trustees in the original system. For example, a loss of sufficient trustees to prevent 
recovery might then become too likely or too easy to cause, or some cooperating trustees might 
gain significant power from their ability to prevent recovery of the key. 

A solution to the problems of loss of trustees is presented in the next section. The section 
after that considers causes of unavailability of trustees other than simple loss. 

REPLACING A TRUSTEE 

The problem of loss of trustees is solved by allowing new trustees to replace lost trustees. If 
some trustee is lost, and a quorum of trustees is present, then the quorum can give a replacement 
trustee the same ability that the lost trustee had to participate in the partial key system; the 
replacing trustee is given the slot of the lost trustee replaced. 

Any partial key technique can be used in a way that allows such replacement. The ability 
to allow replacement can be "built-in" when the partial key system is first created, or it can be 
"added-on" later separately by each trustee. The added-on approach is considered first for a 
single trustee and next for all trustees. Then the built-in approach is considered. 

Suppose you as a trustee wish to make provisions that would allow your own replacement, 
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should it ever become necessary. The essential idea of the solution is that you create your own 
partial key system to allow the other trustees to recover your partial key. You divide your partial 
key into s«Z>-partial keys. The quorum parameter you use is the same as that in the original 
partial key system, and the number of partials you generate is one less than the number of 
original trustees. Then you transmit a different sub-partial to each other trustee. (Y ou might use 
cryptographic techniques, e.g., to provide secrecy and authentication of sub-partials transmitted.) 
If you should become lost, heaven forbid, and some present quorum wants to replace you by 
filling your slot with a replacing trustee, then each member of the quorum would separately 
transmit to the replacing trustee the sub-partial they received from you. (Again these 
transmissions might be cryptographically protected.) When the replacement gets a quorum of 
your sub-partials, the replacement is able to recover your partial — and has become able to 
participate in the original system in your place. 

If other trustees try to provide for their own replaceability in a similar way, problems may 
eventually arise since replacements won't have access to sub-partials, and consequently won't be 
able to help make subsequent replacements. Consider a solution in the homogeneous case of a 
set of trustees who each provide every other trustee with sub-partials. After a trustee receives 
sub-partials from all the other trustees, the trustee encrypts them together using the trustee's 
partial key as a key in say a conventional cryptosystem. This collection of all the sub-partials 
received by a trustee, encrypted by the trustee's partial key, will be called an extender. Thus, - 
once a replacement gets sufficient sub-partials to allow recovery of the partial, the replacement 
can use the partial to decrypt the extender and obtain the full collection of sub-partials that was 
available to the replaced trustee. 

Unlike the key and partials, extenders are public. But to be of use they must of course be 
accessible. One way to treat extenders is to allow them to be copied freely, and assume that this 
provides adequate protection against all copies becoming inaccessible. Another way is for 
trustees to keep copies of extenders. 

The built-in approach promised above is easily seen by noticing that the original system 
creator knows all the partials and can thus form sub-partials, and from them the extenders. The 
system creator might, for example, transmit the sub-partials to the trustees along with the 
partials, and make the extenders public. 

ADDING A NEW TRUSTEE 

It might be desired to add new trustees without replacing any specific trustee. One reason 
might be just to expand the reliability of the system. Another reason is to be able to contend 
with missing trustees, Le. those that are not present and not known to be lost. For example, a 
trustee might not be reachable because of a communication failure or other circumstances, or 
whether a trustee will recover from some disabled state may not be known with certainty. A 
kind of reversible replacement, even if such were possible, may not be the best approach. 
Consider for example the case where a missing trustee returns just making a quorum, but 
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recovery is impossible since the replacing and returned trustees together can contribute only one 
partial. Thus it may be desirable to compensate for missing trustees by adding new trustees. 

Now a technique for allowing new trustees to be added is presented. It is a built-in 
approach, requiring the system creator to make provisions for the additions when the system is 
created. The total number of trustees that can be added must be fixed before the system is 
created (but see the next two sections). 

The technique is essentially the same as the built-in approach of the previous section, 
except that some partials are created that are not issued to trustees initially, and extenders need 
only cover these partials. The system creator provides each initial trustee with the usual partial 
and also with a different sub-partial for each trustee slot that can be added. A quorum of the 
sub-partials for a particular such slot allows recovery of the partial for that slot. When the sub- 
partials are transmitted to a new trustee, the new trustee uses them to recover the appropriate 
partial. This partial allows the new trustee to participate in recovering the original key — just as 
any other trustee. Systems providing for the addition of more than one new trustee could use 
extenders to ensure that new trustees are themselves as capable as the other trustees of allowing 
new trustees to be added. Thus, it would be sufficient for the system creator to form an extender 
for each new trustee slot, such that each extender contains sub-partials for all the other new 
trustee slots. If the order in which new slots will be filled is fixed when the system is created, 
then the extender for a particular new slot need only contain sub-partials for the new slots that \ 
appear after it in the order. (A similar technique is buried in [Chaum 82].) 



REPLACING A SYSTEM 

It might be desired to replace a partial key system that is in use by a new partial key 
system — without using a mutually trusted party like the original system creator. There are 
several reasons for wanting to do this: to change the parameters of the existing system, such as 
the quorum size and the number of trustees; to change the set of trustees; or to restore the built- 
in ability to add trustees if the original provisions become depleted. Of course the extent of 
effective change may be limited because some trustees may not be relied on to destroy their old 
partial keys. If the number of trustees not destroying old partials is less than the old quorum, 
then the situation is effectively the same as if all had destroyed their partials. A quorum of 
trustees acting together will be able to replace an existing system with a new system. 

The essential idea is the same as with replacing or adding a trustee, except that the 
parameters and trustees of the sub-partials may differ from those of the replaced system. What is 
in effect created is an old quorum of partial key systems, each of whose parameters and trustees 
are the same, and each of whose keys is a partial of the replaced system. Thus, a new partial is 
actually a collection of partials, one from each of the old quorum who established the new system. 
A new quorum of such collections is sufficient to recover an old quorum of old partials, and thus 
the original key. Extenders are used only to provide for adding trustees in the new system, with 
each trustee issuing them as the system creator did in the previous section. Of course it should 



485 



be ensured that old partials will not be destroyed until the new system is in place. 

If a newer system is to replace a new system, then each collection of the new system would 
be encrypted under a key created by the trustee holding the collection, and then made public or 
otherwise protected like extenders. The key created by each trustee would be used as the key in 
a partial key system, with the newer parameters, whose partials would be transmitted to the 
newer trustees. (A similar technique is also buried in [Chaum 82].) For arbitrary fixed maximum 
system size and parameters, the time and space requirements of a series of systems succeeding 
each other in this way are linear in the length of the series. 

OPEN QUESTIONS 

More natural and efficient mechanisms for extensibility seem possible. 

CONCLUSIONS 

Various ways to allow the trustees of a key to adjust to changes in their own membership 
and external circumstances have been described. The techniques appear to be quite flexible and 
potentially quite useful in practice. 
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